PERMANENT RULES
COMMISSION
1 SYNOPSIS: The commission adopts rules governing how telecommunications companies may use information they possess about the telecommunications services a particular customer uses and how the customer uses them. The rules follow the framework of corresponding rules recently adopted by the Federal Communications Commission, but contain three important differences:
| • | The rules provide increased protection for particularly sensitive personal information, including the phone numbers a customer calls and including highly specific phone calling habits of the customer. A company may not use this information, known as "call detail," without the customer's express ("opt-in") approval, except as necessary for the company to provide service or as required by law. |
| • | We narrow the scope of a telecommunications company's "family" of affiliated companies, within which it may share information about a customer if the customer does not "opt-out." The effect is to require express ("opt-in") approval for disclosure to more types of entities than the federal rules require. |
| • | We improve the notice that companies must provide to customers, in order to help customers understand what is at stake. Also, by requiring companies to offer their customers more convenient methods for opting-out, we enhance customers' ability to exercise that choice, where applicable. |
2 STATUTORY OR OTHER AUTHORITY: The Washington Utilities and Transportation Commission takes this action under Notice No. WSR 02-08-081, filed with the code reviser on April 3, 2002. The commission brings this proceeding pursuant to RCW 80.01.040 and 80.04.160.
3 STATEMENT OF COMPLIANCE: This proceeding complies with the Open Public Meetings Act (chapter 42.30 RCW), the Administrative Procedure Act (chapter 34.05 RCW), the State Register Act (chapter 34.08 RCW), the State Environmental Policy Act of 1971 (chapter 43.21C RCW), and the Regulatory Fairness Act (chapter 19.85 RCW).
4 DATE OF ADOPTION: The commission adopts these rules on the date that this order is entered.
5 CONCISE STATEMENT OF PURPOSE AND EFFECT OF THE RULE: RCW 34.05.325 requires that the commission prepare and provide to commenters a concise explanatory statement about an adopted rule. The statement must include the identification of the reasons for adopting the rule, a summary of the comments received regarding the proposed rule, and responses reflecting the commission's consideration of the comments. The commission often includes a discussion of these matters in its rule adoption orders.
6 In this rule making, in order to avoid unnecessary duplication, the commission designates the discussion in this order, including Appendices A and B, as its concise explanatory statement.
7 REFERENCE TO AFFECTED RULES: This order repeals the following sections of the Washington Administrative Code:
| WAC 480-120-144 | Use of privacy listings for telephone solicitation. |
| WAC 480-120-151 | Telecommunications carriers' use of customer proprietary network information (CPNI). |
| WAC 480-120-152 | Notice and approval required for use of customer proprietary network information (CPNI). |
| WAC 480-120-153 | Safeguards required for use of customer proprietary network information (CPNI). |
| WAC 480-120-154 | Definitions. |
| WAC 480-120-201 | Definitions. |
| WAC 480-120-203 | Use of customer proprietary network information (CPNI) not permitted to identify or track customer calls to competing service providers. |
| WAC 480-120-204 | Opt-in approval required for use, disclosure, or access to customer I-CPNI. |
| WAC 480-120-205 | Using customer proprietary network information (CPNI) in the provision of services. |
| WAC 480-120-206 | Using individual customer proprietary network information (CPNI) during inbound and outbound telemarketing calls. |
| WAC 480-120-207 | Use of private account information (PAI) by company or associated companies requires opt-out approval. |
| WAC 480-120-208 | Use of customers' private account information (PAI) to market company products and services without customer approval. |
| WAC 480-120-209 | Notice when use of private account information (PAI) is permitted unless a customer directs otherwise ("opt-out"). |
| WAC 480-120-211 | Mechanisms for opting out of use of private customer account information (PAI). |
| WAC 480-120-212 | Notice when express ("opt-in") approval is required and mechanisms for express approval. |
| WAC 480-120-213 | Confirming changes in customer approval status. |
| WAC 480-120-214 | Duration of customer approval or disapproval. |
| WAC 480-120-215 | Safeguards required for CPNI. |
| WAC 480-120-216 | Disclosing CPNI on request of customer. |
| WAC 480-120-217 | Using privacy listings for telephone solicitation. |
| WAC 480-120-218 | Using subscriber list information for purposes other than directory publishing. |
| WAC 480-120-219 | Severability. |
| WAC 480-120-202 | Use of customer proprietary network information (CPNI) permitted. |
11 ADDITIONAL NOTICE AND ACTIVITY PURSUANT TO PREPROPOSAL STATEMENT: The statement advised interested persons that the commission was considering a rule making to review rules relating to regulated telephone companies for content and readability pursuant to Executive Order 97-02, with attention to the rules' need, effectiveness and efficiency, clarity, intent, and statutory authority, coordination, cost, and fairness. The statement also advised that the review would include consideration of whether substantive changes or additional rules are required for telecommunications regulation generally, in concert with the Federal Telecommunications Act of 1996 and potential actions by the Washington legislature during its 1999 session. The commission also provided notice of the subject and the CR-101 to all persons on the commission's list of persons requesting such information pursuant to RCW 34.05.320(3), and sent notice to all registered telecommunications companies and to the commission's list of telecommunications attorneys. The commission posted the relevant rule-making information on its internet website at www.wutc.wa.gov.
12 MEETINGS AND WORKSHOPS; ORAL COMMENTS: The commission held several rule-making workshops on draft rules in Docket No. UT-990146 concerning chapter 480-120 WAC. At a workshop held on June 5, 6, and 7, 2001, WAC 480-120-144 Use of privacy listings for telephone solicitation, was included on the agenda. That rule has been amended and adopted as WAC 480-120-217.
13 On January 23 and 24, 2002, the commission held evening public meetings on the topic of privacy of customer telephone records. The meeting on January 23 was held in Bothell, Washington, and the January 24 meeting was held in Fife, Washington. The times and locations of the meetings were widely reported in the press in advance, both meetings were attended by members of the public, and both were reported on by the media.
14 The commission held a special open meeting on February 5, 2002, for the purpose of considering adoption of an emergency rule on the topic of customer privacy. At the beginning of the meeting, the commission informed attendees that it would not be taking action on an emergency rule, but invited participation in a discussion of the topic. Representatives of several large telecommunications companies spoke on the topic.
15 On March 14 and 22, 2002, the commission held half-day rule-making workshops on issues related to customer privacy rules. These workshops were attended by representatives of diverse interests, including telecommunications companies, public interest organizations, state agencies, and public counsel.
16 NOTICE OF PROPOSED RULE MAKING: The commission filed a notice of proposed rule making (CR-102) on April 3, 2002, at WSR 02-08-081. The commission scheduled this matter for oral comment and adoption under Notice No. WSR 02-08-081 at 9:30 a.m., Friday, July 26, 2002, in the Commission's Hearing Room, Second Floor, Chandler Plaza Building, 1300 South Evergreen Park Drive S.W., Olympia, WA. The notice provided interested persons the opportunity to submit written comments to the commission.
17 COMMENTERS (WRITTEN COMMENTS): The commission received written comments from AARP, AT&T, Allegiance Telecom, Claudia Berry, Elizabeth Clawson, Rep. Mary Lou Dickerson, Electronic Privacy Information Center (EPIC), Elizabeth Fehrenbach, Emeri Hansen, Gail Love, Low Income Telecommunications Project (LITE), Lindsay Olsen, Public Counsel Section of the Office of the Attorney General, Qwest, Senior Services, Sprint, Robert Stein, Matilda Stubbs, Destinee Sutton, Ben Unger, Verizon, WashPIRG, Washington Independent Telephone Association (WITA), and WorldCom.
18 RULE-MAKING HEARING: The commission originally scheduled this matter for oral comment and adoption under Notice No. WSR 02-08-081, at a rule-making hearing scheduled during the commission's regularly scheduled open public meeting on July 26, 2002, at the commission's offices in Olympia, Washington. The commission continued the rule adoption on the record of the July 26 hearing and by written notice to stakeholders who had participated in earlier phases of the rule-making proceeding until August 20, 2002. On August 20, 2002, Chairwoman Marilyn Showalter, Commissioner Richard Hemstad, and Commissioner Patrick J. Oshie considered the rule proposal for adoption. The commission heard oral comments from Qwest, Public Counsel Section of the Office of the Attorney General, Qwest, Seattle Telecommunications Consortium, Spokane Neighborhoods Action Program, Sprint, Verizon, WashPIRG, and WorldCom.
19 COMMISSION ACTION: After considering all of the information regarding this proposal, the commission repealed and adopted the rules in the CR-102 at WSR 02-08-081 with the changes described in Appendix B.
20 STATEMENT OF ACTION; STATEMENT OF EFFECTIVE DATE: In reviewing the entire record, the commission determines that WAC 480-120-144, 480-120-151, 480-120-152, 480-120-153, and 480-120-154 should be repealed.
21 The commission determines that WAC 480-120-201, 480-120-203, 480-120-204, 480-120-205, 480-120-206, 480-120-207, 480-120-208, 480-120-209, 480-120-211, 480-120-212, 480-120-213, 480-120-214, 480-120-215, and 480-120-216 should be adopted to read as set forth in Appendix C, as rules of the Washington Utilities and Transportation Commission, to take effect pursuant to RCW 34.05.380(2) on January 1, 2003.
A. Prior WUTC Rules Addressing Telecommunications Company Use of Nonpublic Personal Information
22 This commission adopted its first rule to protect the privacy of customer proprietary network information (CPNI)1 in 1997.2 That rule prohibited the use of CPNI for marketing purposes. In early 1999, we replaced that rule with rules3 substantively identical to those adopted by the Federal Communications Commission (FCC) in 1998.4 The FCC rules implemented § 222 ("Section 222")5 of the Federal Telecommunications Act of 1996 (the "1996 Act"). The FCC rules required carriers to obtain a customer's express approval (or "opt-in") before using or disclosing CPNI identifiable with that customer, for any purpose other than marketing additional communications services within the category of services to which the customer already subscribed. The "categories of service" defined by the rule were local, interexchange, and wireless.
B. 10th Circuit Vacation of 1998 FCC Rules
23 The 10th Circuit U.S. Court of Appeals in U.S. West v. F.C.C., 182 F.3d 1224 (10th Cir. 1999) vacated the portion of the FCC's CPNI rules that required customer opt-in, as an unjustified restriction on carriers' First Amendment commercial speech rights. The 10th Circuit said that the FCC had failed to show that an alternative less restrictive of carriers' free speech rights, such as opt-out, would not sufficiently protect customer privacy. The United States Supreme Court declined to review the 10th Circuit decision.6
24 In response to the 10th Circuit decision, the FCC, in August 2001, issued an order reinterpreting its rules as requiring that customers need only be afforded the ability to "opt-out" of carriers' "use, disclosure or permission of access" to CPNI.7 At the same time, the FCC initiated a new rule making on the topic of CPNI.
25 After the FCC's decision to reinterpret its rule in response to the 10th Circuit's U.S. West decision, Verizon asked the WUTC either to eliminate our state rules or to conform them to the new FCC interpretation. We first considered adopting substantive changes to our CPNI rules as a result of Verizon's request.
26 Following Verizon's request, Qwest mailed an opt-out notice to its customers that touched off alarm and angry reaction among consumers, consumer and privacy rights advocates, and the media. Based on intensely negative public response to its notice and its limited ability to accommodate customer requests to retain their privacy, Qwest retracted its notice. The Qwest experience served to highlight for the commission the shortcomings of the implied consent or opt-out method of obtaining customer approval with respect to certain uses and certain types of CPNI.
C. New FCC Rule
27 In July of this year, the FCC adopted a new set of rules interpreting the requirements of § 222 of the Federal Telecommunications Act (Section 222), the statute on which the FCC's rules are based.8 In its adoption order, the FCC expressly left the door open to more stringent state protection for CPNI.9 It also stated, however, that it would be willing to preempt state rules that needlessly depart from national standards. Under the FCC's rules, 47 C.F.R. Part 64:
| • | Use of CPNI that is not identified with an individual is not restricted by the rules. |
| • | Without providing any notice to the customer or securing the customer's permission to do so, carriers may use a customer's individually identifiable CPNI to market telecommunications services within the category of service which the carrier already provides to that customer. The categories of service are local, interexchange, and wireless. Included within the local service category, in addition to basic local service, are services such as speed dialing, computer-provided directory assistance, call monitoring, call tracing, call blocking, call return, repeat dialing, call tracking, call waiting, caller I.D., call forwarding, and certain centrex features. |
| • | Only after providing the customer with notice and an opportunity to opt-out may carriers use a customer's individually identifiable CPNI to market communications-related services outside of the category to which the customer already subscribes. The carrier may also disclose the customer's individually identifiable CPNI to its affiliates, agents, independent contractors and joint venture partners for the purpose of marketing communications-related services subject to the customer's right to opt-out of such disclosure. The carrier must enter into confidentiality agreements with its independent contractors and joint venture partners that prohibit additional use or dissemination of the individually identifiable CPNI by the contractor or joint venture partner. |
| • | Carriers must obtain a customer's express, opt-in approval to disclose a customer's individually identifiable CPNI to third parties or to use it to market noncommunications-related services or goods. |
28 Stakeholders have alternatively urged us to adopt across-the-board opt-in and across-the-board opt-out requirements for telecommunications companies' use of customer information. Others have urged us to defer completely to the rules adopted by the FCC, either by not adopting any rules or by adopting rules identical to the FCC.
29 We reject the suggestion that we adopt without change all of the FCC rules. We consider a record different from the FCC. We consider state as well as federal law in our decisions. Washington state stakeholders expressed to us views that were different from those heard by the FCC. And -- perhaps because we are closer to our customers than is the FCC -- we weigh factors differently from the balance implicit in the FCC rules. Like the FCC, we adopt a combination of opt-in and opt-out protections. Our rules, however, require express (opt-in) approval from customers in more circumstances than do the FCC's rules. We adopt these additional protections based on the extensive record in this docket, and on our consideration of federal as well as state law.10
30 The sources of our authority to make rules on this subject are RCW 80.01.040(3) and 80.36.140, which authorize us to regulate, in the public interest, the practices of telecommunications companies on a broad range of matters. Unlike the FCC, we are not bound by the 10th Circuit decision. We nonetheless acknowledge the importance of taking care that our regulations do not unnecessarily restrict companies' protected commercial speech with their customers.
31 Qwest, Verizon, Sprint, and others, have presented arguments that they are entitled, in the exercise of commercial free speech protected by the Constitution, to use information in their possession about their customers to communicate with their customers or others, i.e., to solicit buyers for the services that they provide. In order to address these commercial free speech arguments, we have used the same analytical framework the FCC used in its August 2002 rule adoption order. That analysis is derived from the U.S. Supreme Court's Central Hudson11 decision.
32 We assume, for the purpose of designing our rules, that a telecommunications company has an interest, protected by the First Amendment, in proposing lawful commercial transactions to its customers, in a nonmisleading manner, on the basis of its knowledge about services to which those customers already subscribe from the company. At the same time, we are mindful of customers' interests in their privacy, in their free speech rights, and in their right to associate freely with others. These interests, too, are protected by our state and federal constitutions and underlie the state and federal laws we consider here.
33 In part II, below, we identify the interests we seek to protect and explain why we find they are "substantial" interests to which commercial speech interests may be required to yield. Our conclusions are based on our view of the pertinent law. They are supported by comments we received from consumers in response to the Qwest opt-out notice, on comments received from stakeholders in this rule making, and on privacy values related to telephonic communications that are expressed in the statutory and constitutional law of our state.
34 In part III, below, we explain how our rules directly and materially advance protected privacy and free speech and association interests and why the means we have chosen are carefully crafted to impinge on any freedoms no more extensively than necessary. We weigh the relative merits of "opt-in" and "opt-out" privacy protections by considering information in comments, including polling data and expert analysis related to consumers' experience with opt-out privacy notices in other industries, as well as consumer and stakeholder comments related to Qwest's recent opt-out notice.
35 While we are cognizant of telecommunications companies' commercial free speech interests, we weigh these interests against very important constitutional values on the customer's side of the equation. One's ability to keep private those communications that one chooses (and in which one has a reasonable expectation of privacy, supported by existing law) serves vital constitutional values of privacy and free speech and freedom of association. Perhaps it is obvious, but the telephone is used for private communications with others. It is thus an instrument by which these important and protected interests are achieved. While we recognize that, at some point, an advance in customers' privacy interests may represent a diminution in companies' commercial speech rights, we cannot ignore that the converse is also true: An increase in commercial usage of customer's CPNI at some point represents a decrease in the protection of the customers' interests.
36 We have sought to develop rules that are consistent with the United States Constitution, with Section 222 and the FCC's rules interpreting that statute, and with our own state laws and constitution. While we respect the FCC's approach to this topic, we nonetheless make our own findings about the kinds of interests we seek to protect and the balance we find it necessary to strike between consumers' interests and companies' interests.
37 On the totality of these considerations, we find that the FCC's rules leave certain substantial privacy, free speech and free association interests inadequately protected in Washington state. As the FCC anticipated and expressly allowed in its order, we conclude that the provisions of law we are entitled and required to consider and the record before us require us to provide safeguards more stringent than those required by the FCC's rules.
II. MAINTAINING THE STRICTEST CONFIDENTIALITY OF AN INDIVIDUAL'S COMMUNICATIONS OVER THE TELEPHONE IS A SUBSTANTIAL STATE INTEREST.
A. Because of the nature of services they provide, telecommunications companies are necessarily engaged in full-time monitoring of private communications.
38 As the owners and operators of telecommunications lines, telecommunications companies might be said to be engaged in full-time "wiretapping" of the phones or equipment that connect to their lines.12 The wiretapping laws plainly extend to carriers insofar as carriers might attempt to listen in on phone calls or otherwise intercept the content of what they carry. But additional personal information is acquired in setting up calls and billing for them. As we will discuss below, the wiretapping laws cannot include any blanket prohibition on the acquisition, storage, and use of such information, because it is not possible to run a phone network without it.
39 Telecommunications carriers possess the capability to track certain information that results when subscribers use their telephones. Some of these tracking methods are commonly used (e.g., tracking long-distance calls for billing), while others may be used less frequently (e.g., tracking local dial-up calling to Internet service providers).
40 The technical capability of telecommunications companies to trace and track calling habits, and specifically to identify where and to whom the calls are being placed, has resided in the software of electronic network equipment for a number of years. Although historically the primary use of the information companies collected was for forecasting growth and engineering the network to handle peak loads, recent federal legislation has required companies both to extend the types and amounts of information gathered, and to make this information available to government entities in certain situations.
41 With the passage of the Communications Assistance for Law Enforcement Act, or CALEA, in 1994, a telecommunications company is required to:
[E]nsure that its equipment, facilities or services that provide a customer or subscriber with the ability to originate, terminate, or direct communications, are capable of:
(1) expeditiously isolating and enabling the government, pursuant to a court order, to intercept...all wire and electronic communications carried by the carrier...[and]
(2) ...to access call identifying information...
(A) before, during, or immediately after the transmission...
CALEA, Sec. 103(a).
42 In Section 102(2) of CALEA, "call identifying information" is defined as information from dialing or signaling that identifies "origin, direction, destination, or termination of each communication generated or received by a subscriber by means of any equipment."
43 Under the requirements of CALEA, a telecommunications company must at least have the capability to take the following actions:
| • | Track local calls |
| • | Track long distance calls |
| • | Track feature use |
| • | Track answer or no answer |
| • | Track three-way calling |
| • | Track conference call participation |
| • | Track 800 calls |
| • | Track 900 calls |
| • | Track length of local calls |
| • | Track local dial-up Internet by ISP |
44 While a telecommunications company might not actually use all of this information on a day-to-day basis, and might not even track a customer's usage regularly, the technical capability to collect the information is certainly available. Without certain restrictions, the companies potentially could use the information for marketing or other purposes.
B. The development of a marketing database industry has turned private information in the possession of any business, including telecommunications companies, into a potential source of revenue.
45 Many believe, with good reason, that we are lately experiencing an erosion of our private sphere -- not at the hands of government, but at the hands of private enterprise. Advances in information technology and the search for improved efficiencies in productivity, which we herald in other contexts, are driving the trend.13 As stated in a research paper prepared under auspices of the Washington State Attorney General and the University of Washington School of Law:
The information revolution, the affiliation of previously
unrelated types of businesses, as well as the growth of data
mining14 and target marketing have contributed to a change in
data collection. A consumer's personal information has the
potential of being bought and sold like any other valuable
commodity.
Using these databases, it is possible to identify people by what many would consider private aspects of their lives, including their medical conditions, their SAT scores, and their ethnicities.17 Those selected by their personal characteristics can be targeted not only by direct marketers, but also by lawyers, insurance companies, financial institutions, and anyone else who has the funds to pay for the information.18
47 In short, there is an emerging market for information that may be used to predict individual consumers' receptiveness to offers of particular products and services. We are concerned that telecommunications companies, in their efforts to find new sources of revenue, may wish to sell or make other financial use of records about customer communications. As described above, because of the nature of the services they provide, telecommunications companies have a window on a large amount of very personal and potentially very telling information about their customers. We find that it is therefore imperative to clarify, in the face of this potential source of revenue, that certain information about customers' communications patterns is off-limits to marketing use and disclosure to third parties, at least without the customers' express approval.
48 Finally, we observe that the ready commercial availability of call detail would make a mockery of protection of that same information from use by government: In the pursuit of compelling state interests such as the prevention and prosecution of crime, individual law enforcement agents and agencies of government could obtain the information not only by presentation of a search warrant authorized by a judge but also merely by purchasing it from the company or from any of a number of other commercial database suppliers.
C. The potential harm from use and disclosure, without consent, of individually identifiable call detail information is significant.
49 We embrace the FCC's objective of giving consumers a realistic opportunity to control the disclosure of information about themselves to parties outside of the telephone company. But to this we add a second objective of our own: That of curbing, even within the company, the creation of intrusive new profiles of individuals' communications patterns from what would otherwise be anonymous data. We explain both of these objectives in turn below.
1. Without express consent, the disclosure of call detail could cause embarrassment, pecuniary loss, or a threat to safety.
Fear of disclosure could chill citizens' use of the telephone to freely speak and associate with others.
50 Washingtonians have long relied on the assumption that records of whom they call and who calls them will be used only as necessary to provide the service to which they subscribe or to bill them for toll service. It is important to consider the exact interests that would be harmed by the disclosure of this type of information, which we define as "call detail."
51 Justice Stewart, in a dissenting opinion to Smith v. Maryland, 442 U.S. 735, 748 (1979) stated this interest succinctly:
Most private telephone subscribers may have their own numbers listed in a publicly distributed directory, but I doubt there are any who would be happy to have broadcast to the world a list of the local or long distance numbers they have called. This is not because such a list might in some sense be incriminating, but because it easily could reveal the identities of the persons and places called, and thus reveal the most intimate details of a person's life.
52 The specific kinds of potential harm of such disclosure are limitless, but a few examples are illustrative:
| • | People who wish to remain anonymous for their own safety -- such as people who are subject to abuse or stalking or who might be sought for retaliation -- could be endangered if it were possible for others to obtain lists of calls by or received by such person's relatives. |
| • | People could be screened by prospective employers or fired from their jobs based on perfectly lawful communications with people or organizations to which their prospective or current employers object. |
| • | Candidates for political office could face unfair scrutiny based on associations with organizations and people with whom telephone records indicate they or their family members have communicated. |
| • | People wishing to intimidate or harass members of particular political causes, lifestyles or practices, or religions, could obtain organizations' calling records and with the help of a reverse telephone directory, determine the names and addresses of people connected with such causes, practices, religions, etc. |
| • | Reporters could have sources compromised, despite assurances that the sources would remain anonymous. |
| • | Firms could gain insights into their competitors' trade secrets such as the identity of suppliers, call volumes, and, with the aid of a reverse directory, the identity of a competitor's customers. |
| • | With data about answered/unanswered calls, thieves could find out when an individual is likely or unlikely to be home. |
54 The instances listed above are all examples of harm that could result from disclosure of private call detail outside the telecommunications company. Every party to this rule making appears to concede that protection from these kinds of harm represents a substantial interest.19 Many telecommunications company commenters stated that they do not currently disclose individually identifiable CPNI, which includes what we define as call detail information, to third parties. None stated they do make such disclosures.
55 We conclude that these kinds of potential harm are grave enough that companies should not be allowed to assume consumer consent for disclosure of call detail to third parties without explicit "opt-in" approval from the customer.
2. Even within a company, call detail is too sensitive to be used for profiling or targeted marketing, without a customer's express consent.
56 The consumer interests discussed above could be protected, to some degree (though in our view not adequately20) by a rule that simply prohibits disclosure of call detail outside the company -- or perhaps more broadly, outside the "corporate family."
57 Even if it were possible, however, to devise a reliable system to ensure that call detail information would not be used in a way that results in any of the types of harm mentioned above, but only to develop profiles of individual consumers for direct marketing by the company that serves them, there would still be the potential for a serious and substantial invasion of privacy,21 with its consequent effects on other interests.
58 To be clear, our goal is not to curb marketing per se. We accept the premise that as consumers, we benefit when producers, as a result of knowing something about prior purchases we have made, are better able to inform us of goods and services that might be of use to us, thereby allowing us to make better-informed purchasing decisions. However, where some kinds of information are concerned, this benefit is outweighed by consumers' unwilling loss of control over what they wish to reveal about themselves and for what purposes.
59 One consumer advocate recently described the types of privacy invasions that could result in the absence of rules prohibiting access to call detail:
A consumer desiring a phone number must give personal information to the phone company. Information thereafter is developed from the consumer's phone patterns, such as whether the individual makes calls during the workday or calls certain phone numbers, like pizza delivery, on certain days and times of the week. Certain repetitive calls, such as regular calls out-of-state, can give clues as to the location and behavior patterns of family members. The frequency and duration of telephone calls to health care or insurance providers can give important clues about a family's health concerns. An observer can run consumers' call patterns through computerized screens to find consumers with "desirable" behavior patterns. Only the observer's ethic will limit the ends and means for using the information. More importantly, a company can secretly target the consumer without revealing how extensively these phone patterns made the consumer's personal life an open book.22
60 A group of state attorneys general expressed similar concerns to the FCC in the wake of Qwest's issuance of its poorly received opt-out notice in January of 2002:
While the carriers might not disclose this highly valuable information to their competitors, they would disclose this information to marketing partners for the purpose of jointly marketing products and services unrelated to the customers' current service selection and even unrelated to telecommunications services entirely. For instance, carriers could enter into joint marketing arrangements with providers of certain types of medical products, and send solicitations to the homes of customers who call certain types of doctors or other health care providers. Similarly, carriers could enter into contractual arrangements with telemarketers to sell the telemarketers the names of customers who call certain retailers, or who access the web for a certain period of time or at a certain time of day. The type of information that telemarketers and joint marketing partners would find useful, and therefore be willing to pay for, is limitless. Telemarketers would use this infinite variety of CPNI information in selecting targets for an infinite variety of solicitations, and the carriers would generate new sources of income from this resource. The only party to the transaction that will not have consented, and will not necessarily benefit, is the customer.23
61 The FCC's rules attempt to address the threat of this kind of invasive monitoring. They do so by restricting the use of information that is obtained without express, opt-in customer approval to the marketing of communications-related services and they require companies to limit their affiliates, independent contractors, and joint venture partners to this use of CPNI by contract. 47 C.F.R. § 64.2007(b). We choose, for the reasons stated above, to require opt-in approval for any use of call detail information. Also, as we will explain, we draw the definition of the corporate family (outside of which the company may not disclose a customer's CPNI without express approval) more narrowly.
62 The technology of telecommunications, and federally-mandated identification and preservation of calling information, give telephone companies access to more intimate information about their customers than most other businesses possess. Telecommunications companies are in a position similar to that of health care providers, insurance companies, some kinds of financial institutions, cable providers, and video stores, in that they are in a position to gain a window on sensitive information about individual customers.24 Lawmakers have acted in fields such as these,25 to ensure the confidentiality of particularly sensitive information. As we will discuss below, lawmakers in this state have acted also in the field of telecommunications privacy.
63 Unlike the FCC, we are concerned that a significant privacy interest, recognized by our state law and within the reasonable expectations of Washington consumers, would be compromised by a rule allowing a telecommunications company to engage in data mining and profile-building of its customers' communications patterns, even if only for the company's own targeted marketing purposes. To provide some specific examples, we find that the following practices, described either as a hypothetical possibility or as a current practice by commenters in this rule making, are too invasive of customer privacy to allow unless the company first obtains express customer approval:
| • | Monitoring customers' hourly, daily, or weekly call volumes and calls answered/unanswered, for use as a tool in approaching the customers and selling particular services to help them better manage their telecommunications. Qwest's April 12, 2002, comments at page 6. |
| • | Monitoring customers' called telephone numbers to identify customers who might be receptive to an optional toll plan that offers a flat rate for calls made to other customers of that company. Verizon's May 22, 2002, comments at page 9. |
| • | Monitoring the monthly amount a customer spends calling a particular area code to develop a sales lead list of customers who might be receptive to a plan that has special rates for calls made to a particular area code. Sprint's May 22, 2002, comments at page 2; WITA's May 17, 2002, comments at page 2. |
65 Also, as we have earlier observed, if customers fear an invasion of privacy when they use the telephone, they are less likely to use the telephone to speak to and associate with others. We do not want to adopt rules that would chill these activities.
D. Under existing Washington law, it is well established that telecommunications companies hold telephone calling records for a limited purpose -- to deliver service and to bill for it.
66 Under Washington statutes it is both a criminal offense27 and a basis for civil liability28 for anyone to intercept or record private communications transmitted by telephone without obtaining the consent of all the parties to the communication prior to each such interception or recording.29 Washington's prohibition on violating a person's right to privacy is similar, but not identical to federal statutes pertaining to wiretapping of interstate and foreign communications.30 Both Washington and federal law plainly extend to phone companies,31 particularly insofar as a company might attempt to listen in on phone calls or otherwise intercept the content of the calls they carry.32
67 As a matter of obvious necessity, however, there are some broad exceptions under state and federal criminal statutes for the activities of telecommunications companies. Most importantly, Washington's statutory prohibition on intercepting or recording such communications does not apply to:
Any activity in connection with services provided by a common carrier pursuant to its tariffs on file with the Washington Utilities and Transportation Commission or the Federal Communication Commission and any activity of any officer, agent or employee of a common carrier who performs any act otherwise prohibited by this law in the construction, maintenance, repair and operations of the common carrier's communications services, facilities, or equipment or incident to the use of such services, facilities or equipment.33
68 An important way in which the federal wiretap law and Washington's privacy law differ is in how they treat information of the type contained in toll records. Federal courts have held that a phone company's disclosure of a customer's toll records, including numbers called and the length of the conversation (again, what our rule would label "call detail"), is not a violation of the federal wiretap statute.34 By contrast, as the Washington supreme court has stated:
The state of Washington has a long history of extending strong protections to telephonic and other electronic communications. For example, RCW 9.73.010, which makes it a misdemeanor for anyone to wrongfully obtain knowledge of a telegraphic message, was enacted in 1909 and is based on section 2342 of the Code of 1881. The 1881 Code, adopted before statehood, extensively regulated telegraphic communications. See Code of 1881, §§ 2342-62. Our present statute is broad, detailed and extends considerably greater protections to our citizens in this regard than do comparable federal statutes and rulings thereon.35
69 Under Washington statutes, the kind of "communications" that are not to be intercepted include not just the content of the conversation between the parties, but also the simple act of dialing from one telephone number to another.36
70 RCW 9.73.260 specifically provides that a court order is required for any person to use a "pen register" (a device that identifies all outgoing local and long distance numbers dialed, whether the call is completed or not) or a "trap and trace device" (a device to record the number of an incoming call) on someone's phone line, and only law enforcement officers may petition for such orders.37
71 Unlike its federal counterpart, Washington's law does not specifically prohibit divulging or disclosing communications; it only prohibits intercepting or recording them. As noted above, to the extent phone companies intercept or record such information in connection with the delivery of telecommunications services, the law does not apply to them. It could plausibly be argued that because there is no specific prohibition on disclosing such records, it would not be unlawful for the phone company to use, for any purpose that is not otherwise prohibited, call detail information that it has already recorded in the ordinary course of providing telecommunications services. We find that such an interpretation would be contrary to the privacy interests our legislature sought to protect in enacting laws to protect the privacy of telephonic communications. Part of our intention in adopting these rules is to fill the gaps between Washington's statutory protections on the privacy of communications and the FCC's CPNI framework.
72 Article I, Sec. 7, of the Washington Constitution38 prohibits intrusions of privacy by the government of the sort that our rule prohibits for telephone companies. The Washington supreme court has held that the government may not obtain toll records and may not use a pen register without valid legal process such as a search warrant issued on probable cause. In so holding, the Washington supreme court quoted, as part of its reasoning, the words of the Colorado supreme court in finding a similar right to privacy:
A telephone subscriber... has an actual expectation that the dialing of telephone numbers from a home telephone will be free from governmental intrusion. A telephone is a necessary component of modern life. It is a personal and business necessity indispensable to one's ability to effectively communicate in today's complex society. When a telephone call is made, it is as if two people are having a conversation in the privacy of the home or office, locations entitled to protection under... the Colorado Constitution. The concomitant disclosure to the telephone company, for internal business purposes, of the numbers dialed by the telephone subscriber does not alter the caller's expectation of privacy and transpose it into an assumed risk of disclosure to the government.39
73 To be clear, we recognize that search and seizure law is concerned with intrusions of privacy by the government - not by private enterprise. We nonetheless find the courts' analyses and holdings in these cases to be relevant to our analysis. In determining the extent of the Fourth Amendment's protection against warrantless searches, and the Washington Constitution's prohibition against being disturbed in one's private affairs, courts have been called upon to define the sphere within which a citizen has a "reasonable expectation of privacy."40 We find this "reasonable expectation of privacy" inquiry to be much closer to the mark of what constitutes a substantial interest for First Amendment purposes than the apparently more restrictive test posited in Qwest's comments. Qwest suggests that we have a substantial interest (within the meaning of the Central Hudson test of regulatory burdens on commercial speech) only in protecting information that, if disclosed, would be "highly offensive" to a reasonable person to whom it pertained. Qwest comments of March 21, 2002, p. 11.41 Qwest notes that this is the standard for the tort of invasion of privacy ("publicity given to private life") under the Restatement (Second) of Torts at 652D. We do not read the 10th Circuit decision as circumscribing the government's authority so narrowly as to allow us to place burdens only on company speech that would otherwise constitute a tort. A tort standard makes sense only when applied to the facts of a particular case.42 Tort law is aimed at providing remedies for particular wrongs. Our rules necessarily have broader application because they are aimed at preserving customers' privacy and freedom of speech and association by reducing the risk of the occurrence of such wrongs.
E. Consumer comments following the Qwest opt-out notice reflect an expectation of privacy in telephone records.
74 During the course of this rule making, Qwest Corporation began sending opt-out notices to its customers in Washington, as well as in the other thirteen states where it is the regional Bell operating company. Qwest's notices required customers to opt-out if they wished to prevent use and disclosure of their personal account information, despite the opt-in requirements of Washington rules. Qwest's tactics were widely reported in the radio, television, and newspaper media, and many customers objected. Specific customer objections will be discussed below, but the general sentiment of telecommunications customers was that personal account information should be protected unless the customer gives express permission for other uses. Customers also objected strenuously to the use of their private information by the telephone company itself to market other services to them.
75 The inescapable conclusion of the recent Qwest experience (consistent with the legal analysis of the preceding section) is that customers believe their telecommunications companies have a duty to protect private information about them. Customers were astonished and angered at the notion that their telecommunications company might be able to disseminate information about them based on the assumption of their consent.
76 Beginning in mid-December 2001, Qwest mailed a bill insert to its customers, purportedly putting them on notice that the company intended to use and disclose CPNI for marketing purposes. Customers who objected to this use of their private account information were told to contact the company to opt out.
77 Customers who understood the company's intended use of their information objected strenuously and loudly. During January 2002, newspapers in this state published many letters from consumers who argued that Qwest was abusing its position as their provider of local telephone service and violating the customers' privacy rights. Newspaper editorials chastised Qwest for failing to respect its customers' privacy and exhorted regulators to act firmly to stop the intended practices.43 The WUTC received over 600 comments from customers. The customer response was extraordinary for the WUTC. To our knowledge, no policy issue has generated this many unsolicited comments from members of the public over any period of time, let alone in one month.44
78 Most of the customers who commented simply voiced their opposition to the company's requirement that they opt-out in order to avoid commercial use of their private information. Others went further and made statements such as: "This is invasion of privacy and I thought it was illegal." Similar statements were made by nearly every commenter who went beyond "I am opposed to opt-out." However, some commenters went still further and commented on the nature of the relationship between them and their telecommunications company.
79 Those who commented about the relationship were unanimous in what they said. With striking consistency, they stated that they view the relationship as a limited one in which they pay the company to provide telephone service and, to the extent they must provide information to establish service or to complete a call (dial a number), they consider that the relationship does not entitle the company to do anything with that information but use it to provide service.
80 Some examples of what people stated in e-mails to the WUTC:
| • | When I subscribe to any service, whether it be the utility company, the gas company, or the phone company, I am providing information to them solely because they require it before they will provide a service to me. |
| • | I need a telephone; therefore, I do business with Qwest. I did not ever grant them permission to make money off of me, to solicit from me, to provide information about me to anyone for any reason. |
| • | They are providing us a service that we have contracted for. We are not here to provide them with unlimited information which THEY can sell to the highest bidder. |
| • | We are paying them for phone service. Our phone usage is our private business. |
| • | The individuals supplied the information to the respective company for the singular purpose to contract a business relationship with that company. All information should be held private between the participants of that business relationship. |
My clients are major corporations. Every single one of them requires me to sign a nondisclosure statement prior to my even talking to them about how my services might help them. These nondisclosure statements also forbid me to discuss what the company is doing when using my services and what services I am providing them. If I did not sign those nondisclosure agreements, I would not be able to get any work.
Clearly, customers do not believe that their telecommunications company has, as an assumed or implied extension of the customers' purchase of service, permission to use or disclose the customers' CPNI as the company pleases. Neither do customers believe it is enough, with respect to all possible uses and all types of CPNI, that customers should only have notice and an opportunity to revoke such implied permission.
III. OUR RULE IS NARROWLY TAILORED TO PROTECT CONSUMERS' PRIVACY AND FREE SPEECH AND ASSOCIATION INTERESTS WITHOUT UNDULY BURDENING LEGITIMATE COMMERCIAL SPEECH.
82 Having defined the interests we aim to protect, we now turn to the means. Commenters have proposed two general methods for ensuring that a customer's private account information is not used or disclosed in a manner that is inconsistent with the customers' expectations or wishes: Opt-in and opt-out. Opt-out (implied approval) is shorthand for a method in which companies provide a customer notice of what the company intends to do with information about the customer and the customer is presumed to have assented to the use unless he or she takes some action to revoke that presumed permission. In other words, the customer must "opt out" of the company's proposed plan to use or disclose the customer's information.
83 Opt-in (express approval) refers to a method of determining a customer's preference in which the company must convince the customer to take some affirmative step to register that approval of the use proposed by the company.
A. The opt-out method places a lesser burden on companies' use of customer account information, but recent experiences with its use demonstrate that it needs improvement.
84 The companies favor the use of the opt-out method. Qwest claims that of the two methods, opt-out is the only one that results in a large enough percentage of customer "approval" to justify the expense to the company of even trying to obtain such approval for marketing use. We are sympathetic to this problem in those circumstances in which it is unlikely that customers would strongly object, and might actually benefit from, the company's proposed use. The FCC also found this argument compelling with respect to in-company marketing use of CPNI and consequently allowed opt-out for such uses as require any customer approval.
85 A fundamental difficulty to be overcome by opt-out regulations is that the companies responsible for implementing such regulations may have an incentive not to provide a notice that customers will actually recognize, take the time to read, understand, and easily register a disapproving response.45 As a result, previous attempts at making opt-out schemes work have failed to some degree in (1) getting customers' attention,46 (2) presenting them with their options in language they understand,47 and (3) providing them with a simple manner of registering their disapproval, if they so choose.48
86 In light of comments and information presented by various commenters regarding recent experience under the Gramm-Leach-Bliley Act and our own experience with the Qwest opt-out notice, we are adopting provisions to improve the visibility and content of the notices and to make it easier for customers to register their disapproval.
B. Opt-in makes it more difficult for companies to obtain approval, but because it is less likely to result in accidental approval by the customer, it is appropriate for use where customers' privacy expectations are highest.
87 A number of the telecommunications company commenters objected to an opt-in requirement because it puts the burden on the companies to overcome inertia by enticing customers with promises of specific benefits. We have no reason to doubt Qwest's assertion that it likely will not gain customers' opt-in approval in anything approaching the same numbers as through the opt-out method. We accept for argument's sake that many customers who might not actually object to the proposed use will not take the time to read such a solicitation and register their approval.
88 We find, however, that an opt-in approach is far less likely to result in the customer's accidental approval of the use of his or her private account information. For this reason, where the potential harm of unauthorized disclosure is most serious and where customers' reasonable expectations of privacy are most solidly rooted in existing law, we find it necessary to require companies to obtain customer's opt-in approval.
89 The schematic in Table 1 may be helpful to illustrate the consequences of our decision regarding where we find opt-in approval is necessary to protect customer's reasonable privacy expectation, where opt-out is sufficient in light of companies' commercial speech interests, and where no approval is necessary.
| Place illustration here. |
91 Imagine that the types of information that companies possess about their customers are arrayed on a continuum from the left to the right of the box, with the least "private" or sensitive at left edge and the most private at the right edge of the box. Next imagine that the types of uses to which the companies might put such information are arrayed on a continuum from the bottom to the top of the box. At the very bottom are those uses that are most likely to be within customers' expectations about how a company would use information about them and that are therefore unlikely to upset reasonable privacy expectations. At the top are those uses that a customer would least expect, which would therefore be most upsetting to reasonable privacy expectations, and most chilling to the exercise of customers' free speech and association.
92 Unlike the FCC's rules, our rules acknowledge that some types of information are too sensitive or private for any use other than what is necessary to deliver and bill for service. The FCC's rules acknowledge only the dimension (uses of CPNI) that runs from bottom to top. Because of the breadth of the definition of CPNI,49 we find it imperative to acknowledge the second dimension (i.e., from left to right of the box in Table 1).
93 We discuss our conclusions with respect to each of the shaded areas of this schematic in the sections that follow.
C. We require opt-in for any use of call detail information.
94 Unlike the FCC, we require express, opt-in customer approval before a company may garner information about individual customers' communications patterns (as distinct from more generic information about their purchasing patterns) except as technologically necessary to provide service and billing. This requirement is represented by the dark-shaded portion on the right side of the box in Table 1. We apply this protection even if the company's sole purpose is to compile information for use in targeted marketing of its own services. To protect customers from this kind of intrusion without their consent we define a category of information known as "call detail." This is the information that commenters universally acknowledge to be the most sensitive or private information that companies possess about their customers.
95 Call detail includes any information about particular telephone calls, including the number from which a call is made, any part of the number to which it was made, when it was made, and for how long. It also includes aggregated information about telephone calls made to or from identifiable individuals or entities, and information about unanswered calls that is specific to a particular period of time. We carve out call detail for special protection because we find that the compilation of usage profiles from this information constitutes a significant intrusion into the private affairs of the person who is the subject to the profiling. Expanding the permissible uses of this information to include marketing (as opposed to just technical processing and billing) would create new points of exposure and erode consumers' ability to control what information is revealed about them, and potentially chill their use of the telephone to speak to and associate with others.
96 We believe our protection of call detail is necessary for the protection of values that have long been established in Washington statutes and constitutional law. We find that Washington citizens have a right to expect greater protection of information about their communications over the telephone than the FCC's rules afford. By carefully tailoring our strongest protections for this sensitive information, we believe we have also met the requirement of federal statutes and the constitution.
D. We adopt opt-in for disclosure of individually identifiable CPNI outside the company.
97 Like the FCC, we are adopting rules that require telecommunications companies to obtain express (opt-in) approval before the companies may disclose any nonpublic information about customers to unrelated third parties. This requirement is represented by the dark-shaded, upper portion of the box in Table 1. We have chosen, however, to define "third parties" more broadly (and thus the corporate "family" more narrowly) than the FCC. In our view, the FCC's inclusion of "affiliates," "independent contractors" and "joint venture partners" as part of the corporate family is overly broad, and the definition of joint venture partners is vague as well as broad. Also, we are not confident that companies will have adequate incentive to enforce the contracts that the FCC's rules require for the protection of CPNI in the hands of those affiliates and joint venture partners. The effect of our rule is to make disclosure to more kinds of companies subject to opt-in.
98 Although we emphasize in this order the special sensitivity of call detail information, we do not mean to suggest that individually identifiable CPNI other than call detail information does not need protection. For example, we think most customers would consider it a potentially serious invasion of their privacy for the phone company to sell a list of the telecommunications services the customer purchases, including the amount the customer spends each month on those services, to any third party that would be willing to pay for the information. For many business customers, for example, this is commercially sensitive information. We therefore require opt-in approval before companies may disclose individually identifiable CPNI (including noncall-detail CPNI) to outside parties.
99 Consequently, our rules limit disclosure of private account information under the opt-out scheme to entities under common control with the telecommunications company that holds the information. We did not follow the FCC and permit access by "joint venture partners" to information that is subject only to the opt-out scheme, because that is a category that can fit any entity that uses information to market communications-related services. As a category, "joint venturers" is useless because it permits inclusion of every firm and excludes no firm. We find that such potentially broad disclosure, without express consent, is inconsistent with reasonable customer privacy expectations and we find little support in the U.S. West decision, or elsewhere, for the proposition that companies have a core commercial speech interest in selling such information to third parties.50
E. We adopt opt-out for in-company use of (noncall-detail) private account information for the purpose of marketing services that are not within the same category of service to which the customer already subscribes.
100 In our rules we define "private account information" as the subset of CPNI that does not include call detail but is associated with an identifiable individual. A company may rely on an opt-out notice when it proposes to use the customer's private account information for its own marketing purposes (as opposed to selling the information or disclosing it outside of the company, which requires opt-in approval). This category is represented by the medium-shaded middle-left part of the box in Table 1.
101 Because the opt-out method, even with the improvements we are adopting, is still likely to be misunderstood or go unnoticed by at least some customers, we reserve its application to circumstances in which a failure to obtain informed consent is less serious and in which we find that most customers do not have a strong objection. For example, a company need only provide notice and an opportunity to opt-out before it may compile a targeted marketing list, for its own use, of its interexchange customers whose toll charges exceed a given amount per month.51
102 Aside from our opt-in restriction on call detail, our requirement of notice and an opportunity to opt-out for in-company use of private account information parallels the FCC's opt-out requirements, which the FCC arrived at based on section 222 and the record before it. As such, we see value in adhering to the general framework of the FCC's CPNI rules, when consistent with our own findings and record.52
103 Additionally, it is clear that in overturning the FCC's prior rules, the 10th Circuit was specifically concerned with restrictions on carrier speech that solicits a commercial transaction with the carrier's own customers and on speech within a company (including among affiliates) that facilitates that commercial solicitation. U.S. West, 182 F.3d at 1233, fn. 4. In such instances, and where concerns for the customers' privacy are less grave, it follows that our rules should have a lighter touch, though still preserving customers' opportunity to control the use of their private information.
F. We do not require notice to customers before a company may use (noncall-detail) private account information to market services within the same category to which the customer already subscribes.
104 Although we restrict access to call detail information for any purpose absent the customer's opt-in approval, we otherwise mirror the FCC rules in that no notice is required for a carrier to use private account information (which is defined to exclude call detail) to market new services within the same category of service to which the customer already subscribes.53 This allowance is reflected by the white, lower left-hand corner of the box in Table 1, and was present in the prior federal rules, and in our state's rules. We do not, for example, place any restriction on a company's ability to use private account information to market call-waiting services to customers who subscribe to local exchange service but who do not already purchase call-waiting. We find that consumers would not consider it an invasion of their privacy if their own telecommunications provider observes the services they purchase (as distinct from observing, on anything more than a general level, what use they make of those services) and from that observation makes offers of related services. With the added protection our rules afford call detail information, we are confident that a company's use of information about its customers' prior purchases to target its promotion of related services does not upset customers' privacy expectations. Indeed, this is the type of use that is not restricted in other industries, and is typical of a customer-company relationship. We follow the FCC on this point.
106 We find that the FCC's rules leave certain substantial privacy, speech, and association interests inadequately protected in our state. As the FCC expressly allowed for in its order, we are adopting rules that are more stringent, in certain respects, than those of the FCC. While our rules follow the framework of the FCC rules, our record supports our adoption of more stringent protections in three important respects: (1) We provide increased protection for particularly sensitive personal information, including the phone numbers a customer calls and including highly specific phone calling habits of the customer. A company may not use this information, known as "call detail," without the customer's express ("opt-in") approval, except as necessary for the company to provide service or as required by law. (2) We narrow the scope of a telecommunications company's "family" of affiliated companies, within which it may share information about a customer if the customer does not "opt-out." The effect is to require express ("opt-in") approval for disclosure to more types of entities than the federal rules require. (3) We improve the requirements for the notice that companies must provide customers, to help customers understand what is at stake. Also, by requiring companies to offer their customers more convenient methods for opting-out, we enhance customers' ability to exercise that choice, where applicable.
1 Under 47 U.S.C § 222, customer proprietary network information means: "information that relates to the quantity, technical
configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a
telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer
relationship; and information contained in the bills of pertaining to telephone exchange service or telephone toll service received by a
customer of a carrier . . . "
2 97-18-056 Wash. St. Reg., § 480-120-139(5) (General Order No. R-442, Docket No. UT-960942) filed August 27, 1997.
3 99-05-015 Wash. St. Reg., § 480-120-151 et seq. (General Order No. R-459, Docket No. UT-971514) filed February 25, 1999.
4 In the Matter of Implementation of Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information and Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended, CC Docket Nos. 96-115 and 96-149, Second Report and Order and Further Notice of Proposed Rulemaking, 13 FCC Rcd 8061 (1988).
5 Section 222 (c)(1) of the 1996 Act provides: "PRIVACY REQUIREMENTS FOR TELECOMMUNICATIONS CARRIERS. -- Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories."
6 Petition for cert. denied, Competition Policy Institute v. US WEST, Inc., 530 U.S. 1213 (June 2000).
7 In the Matter of Implementation of Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information and Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, as amended, CC Docket Nos. 96-115, 96-149, and 00-257, Clarification Order and Second Further Notice of Proposed Rulemaking, 16 FCC Rcd 16506 (August 28, 2001).
8 In the Matter of Implementation of Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information and Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended, 2000 Biennial Regulatory Review - Review of Policies and Rules Concerning Unauthorized Changes of Consumers' Long Distance Carriers, Third Report and Order and Third Further Notice of Proposed Rulemaking (Released: July 25, 2002).
9 Id. at ¶¶ 69-74. The FCC stated:
"We conclude that carriers can use opt-out for their own marketing of communications-related services, as described above,
which is less burdensome than opt-in. We reach this conclusion based on the record before us, but must acknowledge that states may
develop different records should they choose to examine the use of CPNI for intrastate services. They may find further evidence of
harm, or less evidence of burden on protected speech interests. Accordingly, applying the same standards, they may nevertheless find
that more stringent approval requirements survive constitutional scrutiny, and thus adopt requirements that 'go beyond those adopted
y the Commission.' While the Commission might still decide that such requirements could be preempted, it would not be appropriate
for us to apply an automatic presumption that they will be preempted. We do not take lightly the potential impact that varying stat
regulations could have on carriers' ability to operate on a multi-state or nationwide basis. Nevertheless, our state counterparts do bring
particular expertise to the table regarding competitive conditions and consumer protection issues in their jurisdictions, and privacy
regulation, as part of general consumer protection, is not a uniquely federal matter. We decline, therefore, to apply any presumption
that we will necessarily preempt more restrictive requirements.
10 47 U.S.C. § 222; U.S. Const. Amend. I; U.S. West v. F.C.C., 182 F.3d 1224 (10th Cir. 1999); RCW 80.01.040; ch. 9.73 RCW; Wash. Const. Art. 1, §§ 5, 7; In the Matter of Implementation of Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information and Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended, 2000 Biennial Regulatory Review - Review of Policies and Rules Concerning Unauthorized Changes of Consumers' Long Distance Carriers, Third Report and Order and Third Further Notice of Proposed Rulemaking (Released: July 25, 2002).
11 Central Hudson Gas & Elec. Corp. v. Public Service Comm'n of N.Y., 447 U.S. 557, 564-65 (1980) (setting out the test to be applied in determining whether restrictions on commercial speech survive "intermediate scrutiny").
12 Huber, Kellog, and Thorne, Federal Telecommunications Law,§14.5.2,2d Ed.(1999).
13 Scholars have foreseen the threat that database technology poses to personal privacy for some time. "[M]any people have voiced concern that the computer, with its insatiable appetite for information, its image of infallibility, and its inability to forget anything that has been stored in it, may become the heart of a surveillance system that will turn society into a transparent world in which our homes, our finances, and our associations will be bared to a wide range of casual observers, including the morbidly curious and the maliciously or commercially intrusive." A. Miller, The Assault on Privacy: Computers, Data Banks, and Dossiers 3 (1971).
14 A standard definition for data mining is the nontrivial extraction of implicit, previously unknown, and potentially useful knowledge from data. Another definition is that data mining is a variety of techniques used to identify nuggets of information or decision-making knowledge in bodies of data, and extracting these in such a way that they can be put to use in areas such as decision support, prediction, forecasting, and estimation. See http://www.dacs.dtic.mil/databases/url/key.hts?keycode=222 (this explanation and citation is contained in the original research paper).
15 Mike Hatch, Electronic Commerce in the 21st Century: the Privatization of Big Brother: Protecting Sensitive Information from Commercial Interests in the 21st Century, 27 Wm.Mitchell L. Rev. 1457, 1471 (2001) citing Robert O'Harrow Jr., Data Firms Getting Too Personal?, (Wash. Post) March 8, 1998 at A-1 (this citation is contained in the original research paper).
16 Id. at 1471 (citation is contained in the original research paper).
17 Id. at 1471 (citation is contained in the original research paper).
18 Sellis, Ramasastry, Kim, and Smith, Consumer Privacy and Data Protection: Protecting Personal Information Through Commercial Best Practices, pp. 9-10 (2002).
19 The court in U.S. West expressed some concern about the FCC's articulation of this interest, but ultimately assumed that the government had asserted a substantial interest in protecting people from the disclosure of such information. 182 F.3d at 1235-36.
20 We are concerned that the risk of harmful disclosure we describe in the preceding section would increase if call detail information were permitted to flow to additional company personnel or company agents or contractors for the purpose of developing profiles of individuals for targeted marketing purposes.
21 By privacy, we mean the interest in controlling disclosures of private information about oneself. We do not use the word to refer to the interest in not being bothered in one's home by sales calls. Consumers have other legal tools at their disposal to deal with the latter kind of privacy invasion. See RCW 19.158.110(2), which provides that if recipient of a telemarketing call indicates she does not want to be called again, the marketer must not call again for at least one year and may not sell or give the person's name and number to other marketers.
22 Letter dated May 29, 2002, to the Utilities Division of the Arizona Corporation Commission from Lindy Funkouser, Director of Arizona's Residential Utility Consumer Office, quoted at p. 15 of Comments of Public Counsel, Attorney General of Washington (May 22, 2002) in this proceeding.
23 Letter dated December 21, 2001, from 39 Attorneys General, to Federal Communications Commission, In matter of Telecommunications Carrier's Use of Customer Proprietary Network Information, CC Docket No. 96-115 and 96-149. For many years, Judge Greene invoked concerns about misuse of customer information as a reason to bar phone companies from providing online information services of any kind. Although Judge Green was concerned about competitive issues, his concerns also have a strong privacy dimension. Through "control of its customers' lines of communication," a local phone company would "also have access to their lines of credit, travel plans, credit card expenditures, medical information, and the like. On the basis of a subscriber's telephone calling patterns with respect to information, an RBOC [Regional Bell Operating Company] could easily pinpoint that subscriber for the sale of RBOC-generated information and the sale of other products and services connected therewith, to the point where that company would have a 'Big Brother' type relationship with all those residing in its region." United States v. Western Elec. Co., 6763 F. Supp. 525, 567 n. 190 (D.D.C. 1987), rev'd in part, aff'd in part, 900 F.2d 283 (D.C. Cir. 1990); see also United States v. Western Elec. Col, 714 F. Supp. 1, 12 n. 40 (D.D.C. 1988) (Bell companies barred from offering "user profile" services).
24 Incumbent local exchange carriers ("ILECs") -- the most outspoken opponents of rules requiring express customer approval for the use of private information -- are different from these other kinds of businesses in a significant way: Their customers do not, in most cases, have the ability to choose another provider who will respect their privacy wishes.
25 Cable Communications Policy Act of 1984 (47 U.S.C. §521 et seq., §611); Video Privacy Protection Act of 1988 (18 U.S.C. §2710, §2711); Privacy of Consumer Financial and Health Information, Chapter 284-04 WAC; Fair Credit Reporting Act (15 U.S.C. §1681 et seq.); See also, Gramm-Leach-Bliley Financial Modernization Act (15 U.S.C. § 6801); Electronic Communications Privacy Act of 1986 (18 U.S.C. §1367, § 2232, §2510 et seq., §2701 et seq., §3117, §3121 et seq.); Electronic Fund Transfer Act (15 U.S.C. § 1693); Communications Assistance for Law Enforcement Act of 1994 (47 U.S.C. §§1001-1-10; §1021; 18 U.S.C. §2522); Driver Privacy Protection Act of 1994, and as amended in 1999 (18 U.S.C. §§2721-2725); Family Education Rights and Privacy Act of 1974 (20 U.S.C. §1232g); Federal Privacy Act (5 U.S.C. §552a); Right to Financial Privacy Act of 1978 (12 U.S.C. §3401 et seq.).
26 Our record includes numerous complaints that opt-out directives to Qwest in January and February of this year were not recorded by company staff. At issue was protecting customer information from disclosure to third parties, according to Qwest's opt-out notice, "when it is commercially reasonable to do so."
27 Under RCW 9.73.080, anyone who violates RCW 9.73.030 is guilty of a gross misdemeanor.
28 RCW 9.73.060 provides: "Any person who, directly or by means of a detective agency or any other agent, violates the provisions of this chapter shall be subject to legal action for damages, to be brought by any other person claiming that a violation of this statute has injured his business, his person, or his reputation. A person so injured shall be entitled to actual damages, including mental pain and suffering endured by him on account of violation of the provisions of this chapter, or liquidated damages computed at the rate of one hundred dollars a day for each day of violation, not to exceed one thousand dollars, and a reasonable attorney's fee and other costs of litigation."
29 RCW 9.73.030 provides: "(1) Except as otherwise provided in this chapter, it shall be unlawful for any individual, partnership, corporation, association, or the state of Washington, its agencies, and political subdivisions to intercept, or record any:
(a) Private communication transmitted by telephone, telegraph, radio, or other device between two or more individuals between points within or without the state by any device electronic or otherwise designed to record and/or transmit said communication regardless how such device is powered or actuated, without first obtaining the consent of all the participants in the communication"30 See 47 U.S.C. § 605(a) ("no person receiving, assisting in receiving, transmitting, or assisting in transmitting, any interstate or foreign communication by wire or radio shall divulge or publish the existence, contents, substance, purport, effect, or meaning thereof, except through authorized channels . . .")
31 For example, in State v. Riley, 121 Wn.2d 22 (1993), a criminal defendant alleged that US WEST had violated the statute by using a trace device to identify the number from which someone was repeatedly placing calls to the access number of a long distance provider in an apparent attempt to discover the access codes of the long distance provider's customers. US West gave the information to police and the police used it to obtain a search warrant, but the court analyzed whether US WEST had violated the law. The court found it had not because either (1) a tracer device does not intercept a "private communication" within the meaning of the act, or assuming it does (2) it was nonetheless permissible for the phone company to establish a line trap to trace hacking activity as part of its "operations" under RCW 9.73.070. The legislature later amended chapter 9.73 RCW to extend the protections of the statute to "the originating number of an instrument or device from which a wire or electronic communications was transmitted" -- the information recorded by a trap and trace device like the one at issue in Riley. RCW 9.73.260; 1998 Wash. Laws ch. 217, sec. 1.
32 Huber, Kellogg, Thorne, Federal Telecommunications Law, 2nd Ed., § 14.5.2 (1999).
33 RCW 9.73.070(1).
34 See, e.g. U.S. v. Baxter, 492 F.2d 150 (9th Cir. 1973).
35 State v. Gunwall, 106 Wn.2d 54, 66.
36 Private communication under RCW 9.73 includes "the dialing from one telephone number to another." State v. Riley, 121 Wn.2d 22, 34 (1993); State v. Gunwall, 106 Wn.2d 54, 69 (1986).
37 Again, telecommunications companies' equipment is necessarily exempted from the definition of pen register:
Such term does not include any device used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business.RCW 9.73.260 (1)(d). What is noteworthy about this exemption, like the more general exemption discussed above, is that it is not a blanket exception for phone companies, but an exception the companies are allowed for a limited purpose -- specifically, billing and accounting.
38 Article I, Sec. 7, Wash. Const. reads as follows: "Invasion of private affairs or home prohibited. No person shall be disturbed in his private affairs, or his home invaded, without authority of law."
39 State v. Gunwall, 106 Wn.2d 54, 67 (1986), citing People v. Sporleder, 666 P.2d 135, 141 (Colo. 1983).
40 See Katz v. U.S , 389 U.S. 347 (1967).
41 Qwest also points out that this is the statutory standard for determining whether someone has a right to privacy in a particular piece of information, held by the government, that is sought for disclosure under Washington's Public Disclosure Act (PDA), RCW 42.17.250, et seq. The RCW 42.17.255 standard for determining whether there is a right to privacy in information sought for disclosure is "if disclosure of information about the person: (1) would be highly offensive to a reasonable person, and (2) is not of legitimate concern to the public." We find this too narrow a standard for our "substantial interest" analysis. The Public Records provisions of the PDA are suffused with the policy that citizens have a right to know what the governmental agencies they have created are doing. RCW 42.17.251. This "government in the sunshine" policy is so important that the drafters of the citizen's initiative, Initiative 276, chose to draw narrowly the individual's countervailing interest in the privacy of public records that pertain to himself or herself. We note, however, that when the purpose of a disclosure request under the PDA is merely commercial -- as opposed to serving the central policy of open government -- the privacy protections of the Public Disclosure Act are far broader. In fact, agencies are expressly not authorized to disclose lists of individuals when such lists are requested for a commercial purpose. RCW 42.17.260(9). Moreover, the more specific disclosure exemptions/privacy protections of the PDA include information similar to what we seek to protect with our rules. See e.g. RCW 42.17.310 (a) (Personal information in any files maintained for students in public schools, patients or clients of public institutions or public health agencies, or welfare recipients), (l) (Any library record, the primary purpose of which is to maintain control of library materials, or to gain access to information, which discloses or could be used to disclose the identity of a library user), (nn) (The personally identifying information of persons who acquire and use transit passes and other fare payment media including, but not limited to, stored value smart cards and magnetic strip cards).
42 See e.g., Hill v. MCI WorldCom, 141 F.Supp.2d 1205 (2001) (Under Iowa law, telecommunications carrier's alleged disclosure of phone numbers and addresses of customer's friends to customer's ex-husband, who had previously stalked, threatened, and harassed customer, gave rise to claim for invasion of privacy based on the theory of publicizing private facts, where the facts disclosed would have been extremely embarrassing, highly offensive, and potentially dangerous to a reasonable person in customer's situation, and the information disclosed was not of a legitimate concern to ex-husband).
43 See, e.g., Elizabeth Hovde, Phone Company Rings Customers' Bells: Will Qwest Ever Get the Voice Mail?, The (Vancouver, Washington) Columbian, January 8, 2002; Editorial, Make "Opt Out" Easier for Qwest Consumers, The (Tacoma, Washington) News Tribune, January 9, 2002; Opinion, Qwest's Train Wreck, The Seattle Times, January 19, 2002.
44 The only instance in which customer comments exceeded these in the space of a month was during a strike by the Communications Workers of America against U S WEST. The strike lasted a month and tens of thousands of orders went unfilled, with the result that 750 people without dial tone contacted the WUTC to complain.
45 Comments of the Electronic Privacy Information Center (EPIC) of May 22, 2002, p. 4-5, 9-11. However, as the Qwest experience shows, there is also good reason to avoid making customers so upset as to generate significant ill will.
46 Comments of EPIC of May 22, 2002, p. 9; Comments of Attorneys General to FCC of December 21, 2001 (attachment to Public Counsel Comments of January 31, 2002), p. 8 (referring to two surveys concerning Gramm-Leach-Bliley Act opt-out notices: American Banker's Association survey which found that 41% of customers did not recall receiving their opt-out notices, 22% recalled receiving them but did not read them, and only 36% reported reading the notice; and Harris Interactive for the Privacy Leadership Initiative survey, which indicated that only 12% of consumers carefully read the notices most of the time, whereas 58% did not read the notices at all or only glanced at them).
47 Comments of Attorneys General, p. 8 (referring to conclusions of readability expert Mark Hochhauser, Ph.D. that Gramm-Leach-Bliley opt-out notices, which are required under the law to be written in a "clear and conspicuous" manner have been unintelligible and couched in language several grade levels above the reading capacity of the majority of Americans).
48 We note that those telecommunications companies that have sent opt-out notices have registered opt-out totals that are substantially lower than one would expect from polling data concerning Americans' attitudes about privacy. For example Verizon reports that only 2% of its customers, nationally, have opted-out. Comments of Verizon of May 22, 2002. Sprint reports that only 5.6% of its Washington customers have opted-out. Comments of Sprint of March 26, 2002, p. 9. By comparison, a survey that Qwest views as favorable to its advocacy for opt-out places the number of "privacy fundamentalists" in the U.S. -- who presumably would opt-out of any kind of data sharing if they only knew how -- at 24% of the population. More dramatically, a January 2002 Rocky Mountain Poll in Arizona revealed that only 3.7% of polled adults believed that Qwest was on the right track when it announced it would sell customer records unless customers took the initiative to contact the company and object within a specific period of time. Comments of Public Counsel of May 22, 2002, p. 14. The findings of this latter poll are consistent with our own observation of consumer reaction to the Qwest opt-out notice in our state. Similarly, in a statewide referendum in North Dakota in June, 2002, 72% of voters favored repealing a 2001 state law that let financial institutions share or sell customer information unless customers opted out. The repeal reinstated previous state law barring such sharing unless customers opted in. Adam Clymer, North Dakota Tightens Law on Bank Data and Privacy, New York Times, June 13, 2002.
49 The definition we adopt for CPNI inserts the words "including call detail" into congress's definition, which already encompasses call detail. We insert the phrase so our rules are easier to follow where we treat only that subset of CPNI that is call detail - as distinct from "private account information," which makes up the other component of personally identifiable CPNI.
50 See Trans Union Corp. v. Federal Trade Comm'n., 245 F.3d 809 (U.S. App. D.C. 2001), cert den. 122 S.Ct. 2386 (June 2002) (upholding rules adopted by Federal Trade Commission banning the sale of mailing lists by credit reporting agencies containing the names of consumers who met certain criteria, such as possession of an auto loan, a department store credit card, or two or more mortgages).
51 This example assumes the company's purpose in collecting such information would be to market, to its customers, services that are outside the category of service to which the customer subscribes. As with the FCC's rules, if the purpose of the list were to enable the company to market additional services in the same category to which the customer already subscribes, no opt-out "approval" would be required. See section F, infra.
52 Our rule for inbound and outbound telemarketing is very similar to the FCC's. Carriers may use oral notice to obtain limited, one-time use of CPNI for inbound and outbound customer telephone contacts for the duration of the call. Because it is oral notice, it requires an express (opt-in) response during the telemarketing call, and as a result a company that uses only private account information in telemarketing will nevertheless have secured opt-in approval for that use.
53 The FCC reasoned that a company's use of CPNI to market services closely related to the those the customer already purchases is an area in which there truly is implied consent on the part of the customer, and that, in section 222 "Congress intended that a carrier could use CPNI without customer approval, but could only do so depending on the service(s) to which the customer subscribes."
54 Our dissenting colleague has reached a third conclusion -- that no CPNI may be disclosed without express consent. We note that his interpretation is even stricter than what was required under our old rules, or under the earlier federal rules, which did not, as the dissent would, require express consent to use CPNI to market even within the same category of services. Also, we feel an obligation to try to harmonize the federal statute with other laws, decisions, and principles, as has the FCC, albeit with a different result. Finally, it is true that the approach Commissioner Hemstad proposes would not be as complex as the one we adopt. Complexity, however, is the price we pay for the complex balancing of the interests at issue.
Number of Sections Adopted in Order to Comply with Federal Statute: New 0, Amended 0, Repealed 0; Federal Rules or Standards: New 0, Amended 0, Repealed 0; or Recently Enacted State Statutes: New 0, Amended 0, Repealed 0.
Number of Sections Adopted at Request of a Nongovernmental Entity: New 14, Amended 0, Repealed 0.
Number of Sections Adopted on the Agency's Own Initiative: New 3, Amended 0, Repealed 0.
Number of Sections Adopted in Order to Clarify, Streamline, or Reform Agency Procedures: New 0, Amended 0, Repealed 0.
Number of Sections Adopted Using Negotiated Rule Making: New 0, Amended 0, Repealed 0; Pilot Rule Making: New 0, Amended 0, Repealed 0; or Other Alternative Rule Making: New 0, Amended 0, Repealed 0.
108 WAC 480-120-144, 480-120-151, 480-120-152, 480-120-153, and 480-120-154 are repealed.
WAC 480-120-201, 480-120-203, 480-120-204, 480-120-205, 480-120-206, 480-120-207, 480-120-208, 480-120-209, 480-120-211, 480-120-212, 480-120-213, 480-120-214, 480-120-215, 480-120-216, 480-120-217, 480-120-218, and 480-120-219 are adopted to read as set forth in Appendix C, as rules of the Washington Utilities and Transportation Commission, to take effect pursuant to RCW 34.05.380(2) on January 1, 2003.
109 This order and the rule set out below, after being recorded in the register of the Washington Utilities and Transportation Commission, shall be forwarded to the code reviser for filing pursuant to chapters 80.01 and 34.05 RCW and chapter 1-21 WAC.
DATED at Olympia, Washington, this 7th day of November, 2002.
Washington Utilities and Transportation Commission
Marilyn Showalter, Chairwoman
Patrick J. Oshie, Commissioner
Commissioner Richard Hemstad, dissenting:110 With this order, my colleagues have done a commendable job of constructing rules that attempt a balance between customer privacy interests and the commercial interests of telecommunications companies. However, the end result is a remarkably complex set of rules which classify customer consent for the use of individually identifiable customer proprietary information in some circumstances by affirmative approval (opt-in), in other circumstances by silence (opt-out), or in still other circumstances by assumed approval with no opportunity even to opt out.
111 While these dense rules will be daunting for the affected companies to internalize and implement, they will surely be incomprehensible to even well-informed customers. In contrast, the directive from congress to this commission in 47 U.S.C. Sec. 222 is simple and easily understood: Customer approval is required before a telecommunications company may use, disclose or access individually identifiable customer proprietary information except to the extent necessary to operate the public switched telephone network and related activities (e.g., billing). The statute, I believe, can only be fairly read to require the affirmative consent of the customer. Consequently, I cannot join in the adoption of these rules concerning customer privacy.
The constitutionality of 47 U.S.C. § 222 has never been challenged and we cannot act as if it is unconstitutional.
112 No one has challenged the constitutionality of 47 U.S.C. § 222. It was not challenged in the 10th Circuit, and none of the comments we have received have contended it is unconstitutional. A statute is presumed constitutional until it has been determined to be otherwise. We cannot act as if the federal law is unconstitutional and give ourselves permission to invent other ways of treating customer proprietary network information that are inconsistent with the statute. What is adopted today in the sections that do not permit any customer control, and those that permit so-called approval through an opt-out scheme, are, in my opinion, in conflict with the clear, unambiguous grant by congress to customers of control of the confidentiality of their proprietary network information.
Congress made a clear statement that individually identifiable customer proprietary network information may not be used without first obtaining approval of the customer.
113 The language of the statute is unambiguous:
(c) CONFIDENTIALITY OF CUSTOMER PROPRIETARY NETWORK INFORMATION. --
(1) PRIVACY REQUIREMENTS FOR TELECOMMUNICATIONS CARRIERS. -- Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories.
47 U.S.C. 222 (c)(1) (Italics added).
Use of customer information without notice to customers and without even the possibility of disapproval is directly contrary to the statute.
114 As stated above, Section 222 requires "approval of the customer" before any use, disclosure, or access to individually identifiable customer proprietary network information. The rules adopted today in some circumstances allow telecommunications companies, and any company that controls, is controlled by, or is under common control with a telecommunications company, to use certain customer information without notice to customers and without their approval, not even so-called opt out approval. This is an effort, as I understand it, to make the rules acceptable under a Central Hudson55 analysis. Accepting Central Hudson as the correct precedent to follow is, in my opinion, a mistake on at least three counts.
115 First, Central Hudson is a case that did not interpret an explicit federal statutory directive. We should not ignore the fact that congress has spoken and, in adopting Section 222, must be presumed to have weighed the competing values of commercial speech and personal privacy.
116 Second, Central Hudson's facts did not involve the use or disclosure of personal information. Rather, it involved an entirely different fact-situation: A utility stuffing, with its monthly bill, a generic advertisement to promote energy consumption in a time of shortage.
117 Third, Central Hudson addressed only one constitutional issue, the commercial speech rights of a utility to advertise its product free from interference by a regulatory agency. Nothing in the case even remotely touched on what I believe to be constitutionally implicated privacy interests56 of customers in the confidentiality of their discrete customer information.
118 While the FCC may be required to respond to the remand directives of the 10th Circuit's majority opinion,57 which arrived at its procedural conclusion based upon Central Hudson, this commission is not bound by the 10th Circuit's decision or by its reliance on a case that did not concern a congressional act, had completely inapposite facts, and did not address the constitutionally implicated interests that motivated the commission's departure from the FCC in the first place.58
Approval is not the absence of disapproval, which is all that is represented by opt-out schemes.
119 Other portions of the rules adopted today permit company use of confidential customer information unless the customer opts not to permit such usage. Only the self-interested commenters in this rule making promote the view that congress meant approval to mean the absence of disapproval. It is not a reasonable conclusion; and it is not a conclusion that is permitted in the absence of ambiguity. The proponents of the view that "approval" means an opportunity to opt out rely on wishful thinking, not ambiguity, when they claim it is a reasonable interpretation of the statute.
120 Congress constructed a section of law that has as its unmistakable aim the protection of the confidentiality of customer information and it placed the customer in charge of that confidentiality, not telecommunications companies and not regulatory agencies.
121 Congress could have been silent on the topic of customer proprietary network information. Then at least an arguable conclusion might be that the information obtained by telecommunications carriers could be treated the same as the information obtained by any other business not the subject of a particular federal statute respecting customer information. Because congress was not silent, we cannot act as if it were.
122 Or, congress could have constructed a statute like those that are particular to certain activities (e.g., educational and financial institutions, video rental companies) and provided some specific scheme for how the use and disclosure of customer information would be treated. With respect to financial institutions and disclosure of customer information, congress explicitly used the term "opt out." 15 U.S.C. § 6802(b). When congress wants to prescribe an opt-out scheme related to customer information, it does so explicitly. But congress did not prescribe in Section 222 the schemes used in other statutes; we cannot act as if it did. Customer information obtained by telecommunications carriers must be treated differently from information obtained by other businesses subject to other, specific statutes adopted by congress to regulate the use and disclosure of customer information.
123 We can only treat telecommunications customer proprietary information as prescribed in 47 U.S.C. § 222. There is no ambiguity. Congress could have said nothing, or prescribed some other means of safeguarding this information if that is what it had wanted to do. Specifically, it could have created an opt out scheme, but it clearly and unambiguously did not. Instead of silence, an opt out scheme, or something else, it said "with approval of the customer." A fair reading of the statute compels the conclusion that "approval" can mean only an affirmative statement by a customer, not an assumption of approval based on the absence of disapproval.
Proponents claim opt out schemes are more efficient and that those who wish to keep their proprietary information private can do so.
124 If the value sought to be served is efficiency rather than protection of privacy, then proponents probably are correct that use of an opt out scheme would require less effort from telecommunications carriers and only some effort from customers that choose to opt out. However, congress was in a position to give relative weight to these values - efficiency and personal privacy - and it did so in the language of Section 222. It chose efficiency when it did not require customer approval for use of personal information in order to conduct everyday operations of the network, but it also chose to value personal privacy by requiring customer approval of any other use of personal information.
Washington state policy on privacy is consistent with and reinforces Section 222.
125 Congress has made a determination that telecommunications carriers must protect the confidentiality of customer proprietary network information and must have customer approval to use that information. That is consistent with and reinforced by the strong statement in favor of personal privacy found at Article I, Section 7, of our own Washington constitution. The adoption of rules that permit use of protected information either without notice or with an opt out scheme is inconsistent with state policy on personal privacy.
Concluding comments.
126 In footnote 54 of the commission's order, my colleagues respond to this dissent by asserting that "Complexity...is the price we pay for the complex balancing of interests at issue." But congress in the unambiguous directive of Section 222 did not choose complexity. It chose simplicity. In doing so it mirrored the emphatic views of a broad spectrum of consumers as demonstrated in the enormous outpouring of surprise, anger and distress of Qwest's customers when they became aware of Qwest's intentions to access without their approval what they had assumed to be private information.59 The commission's order, with its complexities, neither responds to these legitimate consumer concerns nor to Section 222.
127 My colleagues are motivated by considerable concern for customer privacy, which I applaud. That concern is amply demonstrated by their elaborate and scholarly order. But I nonetheless believe the commission has followed the wrong case to the wrong result and, in doing so, has ignored the explicit directive of congress. In an age when huge amounts of personal information can be collected and manipulated, it is my hope that these rules will some day be reviewed by a court that recognizes that the concerns of individuals for their privacy pose new fact-situations that require a fresh analysis. A new precedent for a new environment is in order, one that recognizes the vast changes in technology and its impact on our private lives in the twenty-two years since Central Hudson.
128 Accordingly, I cannot join in adoption of rules that ignore a customer's statutory right to confidentiality unless the customer gives affirmative approval to a telecommunications company to use, disclose, or access individually identifiable customer proprietary network information.
129 For these reasons, I respectfully dissent.
Richard Hemstad, Commissioner
55 Central Hudson Gas & Elec. Corp. v. Public Service Comm'n of N.Y., 447 U.S. 557, 564-65 (1980) (setting out the test to be
applied in determining whether restrictions on commercial speech survive "intermediate scrutiny").
56 In discussing privacy, I am referencing customers' rights to privacy, free speech and free association.
57 The minority opinion, I believe, is the correct view and is true to the language and purpose of Section 222.
58 Access to information permitted to companies without either customer notice or approval also raises troubling issues of unfair competitive advantage for those companies vis-a-vis their competitors.
59 See the description beginning at ¶ 76 of the Order.
Docket No. UT-990146
Response to Specific Comments
2 The commission received comments from several telecommunications companies, consumer advocates, and others, including AARP, AT&T, Allegiance Telecom, Claudia Berry, Elizabeth Clawson, Rep. Mary Lou Dickerson, Electronic Privacy Information Center (EPIC), Elizabeth Fehrenback, Emeri Hansen, Gail Love, Low Income Telecommunications Project (LITE), Lindsay Olsen, Public Counsel Section of the Office of Attorney General, Qwest, Senior Services, Sprint, Robert Stein, Matilda Stubbs, Desinee Sutton, Ben Unger, Verizon, WashPIRG, Washington Independent Telephone Association (WITA), and WorldCom.
3 The material is organized by subject and by rule number, which is noted at the end of each response. In each response we indicate whether we made a change in the adopted rules based upon the comment, or whether we adhered to the language in the proposed rule.
4 Definition of customer network proprietary network information (CPNI): The definition of CPNI in the proposed rules contained the phrase "which includes information obtained by the company for the provision of telecommunications service." The consumer advocates considered the phrase to be ambiguous and perhaps providing permission for companies to use, disclose, or permit access to such information as medical status submitted by a customer in compliance with proposed WAC 480-120-173 with no more than opt-out approval. In order to remove the ambiguity, we removed the phrase from the adopted rules. The remaining definition of CPNI in subsections (a) and (b) came directly from the federal statute. However, because the commission proposes specific, more stringent protections for those portions of CPNI that are individually identifiable, we have added to the definition of CPNI a description of the subsets of data contained within that broader category of data. See WAC 480-120-201.
5 Interference with Marketing "Friends and Family" Type Plans: Some companies provide reduced toll rates to customers who call other customers who use the company's service. Company comments suggest that our definition of call detail would restrict marketing these programs. It is true that under our rules a company may not examine numbers called to determine if a particular customer routinely calls another customer and use that information to suggest to the customer a change of long-distance plans. The examination of such information for that purpose would stray into a practice that we have determined could result in revealing sensitive communications habits and personal habits. Once a customer elects "Friends and Family" service, the company can of course use specific call detail information in order to initiate, render, coordinate, facilitate, bill, and collect for telecommunications services the customer has purchased or requested. See WAC 480-120-201 and 480-120-205.
6 Suggested Changes to Definition of Call Detail: Companies suggested elimination of subsections (b) and (c) in the definition of call detail, and asked for clarification of the scope of (d). Subsection (b) defines as call detail information associating individual customers with specific area codes, prefixes, or complete telephone numbers correlated with the time of day, length of call and cost of call. Elimination of this subsection would mean that companies could, without opt-in approval, examine customers' communications habits and know or deduce a great deal about customers' personal habits or circumstances (e.g., determine a customer makes routine calls to Alcoholics Anonymous). Elimination of this subsection would undo one of the most important protections we seek to achieve with these rules.
7 Elimination of subsection (c) would permit companies and others into whose hands the information falls to discern calling patterns that may also reveal sensitive personal habits. While we exclude from call detail general calling patterns and expenses when expressed in terms of one month or more of activity or expense, we consider that information to be call detail when viewed for shorter periods.
8 We revised subsection (d) so it is clear that it refers only to information that is associated with a specific individual. See WAC 480-120-201.
9 Prohibit Use of CPNI Except as Permitted by 47 U.S.C. § 222 or by These Rules: Our proposed rules permit the use of CPNI in accordance with federal law except when these rules require otherwise. Consumers suggested that this should be changed so that no use is permitted unless authorized by federal law or these rules. The purpose would be to emphasize that CPNI is the property of customers and that it can only be used when there is specific permission granted. We reviewed the rule with these comments in mind and determined the rule is unnecessary and it has been withdrawn.
10 Oral Approval for Use of CPNI: Companies expressed concern that our rules permitting oral opt-in approval for use of CPNI and call detail are inconsistent with federal requirements. The concern is that our rule permitting third-party verification similar to that used to verify customer changes from one long-distance provider to another cannot be used while the customer is on the line with the company representative. The underlying concern appears to be that a competitor could not look at certain account information in the process of completing a new service order for a customer who is switching from another carrier.
11 Our adopted rules address these concerns in a variety of ways. First, no approval is required to use CPNI to initiate, render, coordinate, facilitate, bill, and collect for telecommunications services the customer has purchased or requested. This has not changed from the proposed rules.
12 Second, we permit the use of CPNI for the duration of inbound and outbound telemarketing calls without third-party verification of approval. We do not require a safeguard in these circumstances because the customer may simply hang up.
13 Third, where we do require third-party verification, we have added an option in the adopted rules that was not in the proposed rules. If a company requests opt-in approval for use of call detail beyond the duration of the call, it may use third-party verification process that is similar to that used for third-party verification when customers switch long-distance providers, or it may make a sound recording of the oral approval sufficient to establish knowing approval. The inclusion of making a sound recording as an option is a change from the proposed rules. (Note that Washington is a two-party consent state with respect to recording conversations, so a company using this method to obtain oral approval will have to inform the customer that the call will be recorded.) See WAC 480-120-205, 480-120-206, and 480-120-212.
14 Use of CPNI During Inbound and Outbound Telemarketing Calls: In our proposed draft we permitted use of private account information after oral notice and oral approval during an inbound telemarketing call. After consideration of company comments concerning customers' desires to receive a quick response when discussing telecommunications services with a company that is already providing service, we determined that a rule concerning inbound telemarketing alone was insufficient to lead to responsive service. In the adopted rules we permit use of CPNI during outbound as well as inbound telemarketing calls, provided there is notice and the customer approves of the use of CPNI. In both instances, the approval and use are permitted only for the duration of the call, which provides a privacy safeguard for customers that balances company access to CPNI during outbound telemarketing calls. See WAC 480-120-206.
15 Restriction on the Use of Call Detail Will Require Companies to Stop Some Marketing Practices: Some companies stated that certain of their current marketing practices would be prohibited by the proposed rule. For example, using CPNI to market caller identification, Digital Subscriber Line (DSL) service, voice mail, and second residential lines. Most of the examples given are related to services already provided to a customer, because they only work with local service. We addressed this concern in the adopted rules with an additional rule that permits use of private account information without either notice or approval to market services related to those already provided by a company.
16 Other services, such as DSL, could be marketed to customers that are not local service customers, in which case a company would either have no CPNI related to the person because the person is not a customer, or would have to have opt-out or opt-in approval, depending on whether the company planned to use private account information or call detail to market the service. (Note that advertising and marketing based on information that does not come from CPNI may be used without any approval.) See WAC 480-120-208.
17 Notice Issues: We received many comments on notice, some general in nature and others specific to various subsections.
| • | Notice Generally: In general, companies suggested the amount and types of notice would be confusing, and consumer advocates did not question the amount and type of notice. Our response to the general concern that there is too much notice required is that we have a record that demonstrates that customers have expressed more interest in privacy of telecommunications records than any other policy issue to come before the commission. We believe that customers genuinely care about their privacy, that privacy is an interest that should be protected, and that customers will not be confused by information that enables them to make an informed decision. We have tried to develop notice requirements that will enable customers to make informed choices and that do not contain unnecessary provisions. WAC 480-120-209. |
| • | Annual Notice: We received several company comments suggesting we follow the Federal Communications Commission (FCC) and reduce the required frequency of opt-out notice from one year to every two years. The issue is whether customers need notice more or less often in order to be sure they understand their options and how to exercise them. We are persuaded that with the substantial notice required and the multiple mechanisms for opting out, customers will receive notices that can be read and understood and that the process of opting out will be easy. For these reasons, we believe that less frequent notice will not reduce customer understanding or the opportunity to opt out. We also see a value in reducing the cost to notify customers. We have changed opt-out notice requirement to once every two years. See WAC 480-120-209(2). |
| • | Inclusion of Notice with Other Advertising or Promotional Material: Our proposed rule contained a prohibition against providing the opt-out notice with any other advertising or promotional material; it did permit inclusion of the notice with customer bills. Companies commented that it would be beneficial to companies to be permitted to place both advertising and opt-out notices together in bills because placing advertising in bill envelopes is cost-effective. We do not doubt that it would be cost-effective for companies to include advertising with the notice, but the efficiency in advertising costs may come at the expense of the effectiveness of the notice because it could be lost in the advertising and other material. We have not changed this requirement in our adopted rules. WAC 480-120-209(3). |
| • | A Mix of Opt-In and Opt-Out Approval Will Cause Customer Confusion: Companies and consumers are united in believing that customers will be confused if call detail is made available only after opt-in approval is given, and private account information is available to companies after notice and an opportunity to opt-out. The argument appears to be that two possibilities is one too many. We disagree. First, not all companies will send both types of notice. Some may elect not to ask for opt-in or opt-out approval. Others may request one or the other, or use a single opt-in notice for all CPNI. Second, if both notices are sent, we think customers and companies alike can understand two sets of information and two types of approval. We believe that confusion is unlikely if companies provide accurate notices to customers. It is not difficult to understand the difference between using, disclosing, and permitting access to information about services purchased (e.g., a second line) and call detail (e.g., whom you call and who calls you). Companies have an incentive to provide correct notice that informs rather than confuses. Commenters also suggested customers will be confused by the contradictions between our notice requirements and FCC notice requirements. If companies send two different notices to customers under the opt-out mechanism, no doubt confusion will be the result. Confusion can be avoided if companies send customers only the correct notice based on these rules. To the extent our rules are more protective of sensitive call detail information than the FCC's rules, companies will be required to send opt-in notices. Following the rule that provides the greater privacy protection is not a confusing concept. See WAC 480-120-209, 480-120-211, and 480-120-212. |
| • | Informing Customers of Rights and Duties: Companies commented that notice requirements that inform customers of their rights with respect to confidentiality of CPNI, and the requirement also to inform customers that companies have a duty to protect the confidentiality of CPNI, may be confusing. No commenter explained just how this information may confuse customers, so lacking any specific concern, we reject the unsupported assertion. See WAC 480-120-209 (5)(c) and 480-120-212 (3)(a) and (b). |
| • | Required Use of 12-Point Type for Notices: Our proposed rule requires the use of 12-point type in opt-out notices, and companies have commented that it is unnecessary to state the required size of type. Our experience is that many notices use type sizes that are small and difficult to read. Prior to including the type size in the proposed rules, our staff produced a notice that contains all the required notice contents in twelve-point type. The sample notice fits on one side of a standard size sheet of paper. The example has standard margins and contains considerable separation between notice elements. No commenter stated that the sample notice was deficient or for any reason could not be used. Because we have not been informed that there is a specific problem we have retained the requirement in the adopted rules. See WAC 480-120-209(7). |
| • | Notice That Not All Call Detail Will Be Used, Disclosed, or Accessed: Another company comment is that limited notice is not permitted when limited use or disclosure of call detail is planned. There is nothing in the notice requirements for obtaining opt-in approval to use call detail that prevents a company from informing a customer of the limits to which call detail will be put to use. Because we require that notice be comprehensible and not misleading, companies must adhere to self-imposed limits. We were not asked to make a specific change, and we believe the rules permit companies to tailor notices to self-imposed limits on use, disclosure, and access, and therefore we make no change to the rules on this topic. See WAC 480-120-209 and 480-120-212. |
| • | Notice Concerning Entities to Which Call Detail May Be Disclosed: Another suggestion in the comments is that it is unnecessary to provide the names of affiliates and subsidiaries in the opt-in notice because they are often unknown to customers who are accustomed to brand names. We think customers may be interested in the names of the firms that may receive call detail information, but nevertheless make a change in this subsection. After reflection, we think disclosure of all affiliates, subsidiaries, and companies under common control would be an impractical requirement to place on companies because they form an ever-changing group. We also think that companies, in order to convince customers to opt-in to the use of their most sensitive personal telecommunications information, will have to find some level of revelation of who may receive the information that satisfies customers' curiosity about who will have access to their information. Accordingly, we have reduced the disclosure requirement to whether the information will be used, disclosed, or access permitted to an entity or person other than the company. See WAC 480-120-212 (3)(d). |
| • | Notice Concerning Availability of Name, Address, and Telephone Number to Telemarketers: One commenter raised a concern that the notice requirements in the proposed rule concerning availability of name, address, and telephone number (subscriber list information) suggested companies must provide this information to all types of telemarketers. In the adopted rule we have made a change so that the notice must inform customers that name, address and telephone number are not private information and may be used by telemarketers even if the customer opts-out. The revised notice requirement more correctly informs customers that choosing to opt-out is not the same as eliminating telemarketing. See WAC 480-120-209 (5)(a). |
| • | Notice That No Action Is Necessary to Protect Call Detail Disclosure to Third Parties: A concern was expressed that this requirement could lead to confusion. We think it is important for customers to know that they need not take any action to protect the most sensitive information (call detail) about them. No commenter suggested precisely how this would confuse customers, and we do not think it will. See WAC 480-120-212 (3)(f). |
| • | Include a Copy of the Chart That Shows the Application of the Rules to Certain Types of Information: In the proposed rules we included a chart labeled "Customer Approval Method Depends on the Type of Information." Consumer advocates suggested that a copy of this chart (which is revised in the adopted rules) be required to be included with opt-out notices. Because the chart would not necessarily be correct when a company chooses self-imposed limits on the use, disclosure, and access that it will permit and its notice reflects those self-imposed limits, we do not think we should require inclusion of the chart. Companies may find that inclusion of a chart is a good idea and may include a comprehensible and not misleading chart with a notice. |
| • | Some Notice Requirements are Incompatible with Notice and Approval for the Duration of a Telemarketing Call: Company criticism of the proposed rules is correct on this point. The adopted rules provide exemptions from the notice rule when the notice and approval extend only for the duration of a telemarketing call. See WAC 480-120-213(2). |
| • | Opt-out Approval Will Burden Consumer Organizations Rather Than Companies: Consumer advocates suggested that the use of an opt-out approval mechanism for some information will burden consumer organizations that will be asked to assist customers in understanding their options, while companies will not bear this burden. In essence, this is another suggestion that customers will be easily confused and was presented as an argument for an all opt-in approach. We believe our notice requirements are sufficiently strong to require companies to send notices that will inform rather than confuse, so we make no change in the adopted rules based on this comment. See WAC 480-120-209 and 480-120-212. |
| • | Rules Will Require Costly New Processes: Companies commented that the administrative aspects of the new rule (notice and opt-out mechanisms) will increase costs for companies. This may be, but the purpose of these rules is to strike a balance between company concerns and customers' interests in privacy, speech, and association. There is a threshold of privacy protection below which we will not go, even if that protection means increased costs will result. With respect to imposing costs on customers or companies, these rules are not different from any other rules, any of which may cause an increase in cost to customers or to companies. See WAC 480-120-209, 480-120-211, and 480-120-212. |
19 Our experience, and the record on which we act, demonstrate that multiple methods are needed to ensure ease of opting out. Many customers report that they attempted to opt-out in a situation in which a company sent an opt-out notice, but found they were thwarted in doing so when calls went unanswered and when they were told there was no address to which a written opt-out directive could be sent. A particularly troublesome example of the difficulties customers encountered concerned a company that did not accept opt-out requests by telephone on Saturdays, but mailed notices that arrived on Saturdays. The same company did not accept opt-out calls in the evening, thwarting the efforts of those who open mail in the evening after work and would like to take immediate action to opt out.
20 As we discuss in the order, in one sense companies have an incentive to make it difficult for customers to opt-out. (In another sense, as Qwest learned, their long-term incentive is to maintain cordial relations with their customers.) The order and this response discuss some of the problems. We have provided in this rule the methods that we consider appropriate to guard against these problems occurring again. While they may be multiple, their multiplicity does not necessarily make them expensive. We decline to make changes based on the comments on this subject. See WAC 480-120-211.
21 Opting-Out by Marking a Box or Blank on the Monthly Bill: In some draft version of these rules we included marking a box or blank on the monthly bill as a means for a customer to opt-out. We did not include this as a method for opting out in our proposed rules because we were persuaded that it would be difficult to inform customers that they did not need to check the box every month and because we were persuaded by companies that it could interfere with bill processing, an important business function. In consumer comments on the proposed rules we were encouraged to once again include this option. We adhere to the position we took when we eliminated it from draft rules and excluded it from our proposed rules. See WAC 480-120-211.
22 Limited Requirements for Companies With Fewer Than 50,000 Access Lines: Comments from smaller companies suggest that it is inefficient to have a 1-800 line with access to a live or automated operator at all times when it may only be called a few times per year. They do not recommend an alternative. This comment misreads the rule to mean that toll-free must be a 1-800 number. Companies can meet this requirement by having a local telephone number for which a toll is not charged. If a message (voice, voice activated, or touch-tone) can be left by a caller when not answered, and if that opt-out request is confirmed as required by our rules, then a company will have met the requirements of this rule. For those reasons, we decline to provide fewer opportunities for opting-out to customers of small companies as those of larger companies. A customer's interests in privacy, speech, and association are not reduced by the size of the company providing telecommunications service. See WAC 480-120-211.
23 The Opt-In Notice Should Not Require a Description of Each Purpose for Which Information May Be Used, Disclosed or Accessed: We receive oral comments prior to publishing the proposed rules recommending that we not require a description in the notice of each purpose for which call detail might be used. The same comment was made in response to the proposed rule. Because it is not reasonable to expect every possible purpose to be listed, we have altered the adopted rules and now require that opt-in notices provide a description of the general purposes for which the information may be used, disclosed, or for which access may be permitted. See WAC 480-120-212 (3)(e).
24 Written Confirmation: We received company comments opposed to our requirement for written confirmation when a company receives a customer's opt-out or opt-in directive (other than a directive received during a telemarketing call). Our experience is that companies cannot be depended on to follow the instructions accurately at all times. Our record includes statements from customers that their opt-out directives were not implemented. Accordingly, we think it is important that customers receive confirmation of their opt-out approval so errors can be detected before personal customer data is disclosed.
25 Written confirmation of opt-in approval is also important to prevent errors. The reason for confirmation of opt-in approval is that an error by a company in perceiving it has opt-in approval when it does not would expose customers' most sensitive information (e.g., whom they call and who calls them) to, among other things, disclosure to third parties. We believe the confirmation requirement is an important safeguard, and our record supports this conclusion. See WAC 480-120-213(1).
26 Oral Confirmation of Opt-Out or Opt-In Approval: Companies commented that oral confirmation should be permitted as well as written approval. No reason was given for this suggestion but we infer that it might be less expensive and easier to provide oral confirmation. Because our confirmation requirement is aimed at detecting errors and providing customers an opportunity to correct them, we are concerned that oral confirmation, even with instructions about correcting an error, would be less effective than written confirmation. An automatically-dialed announcement that includes confirmation and instructions on what to do if the customers believe there has been an error places the burden on customers to be ready to receive the instructions and make notes at the company's convenience. A written confirmation provides a customer with information on how to correct an error without requiring the customer to attend to the circumstances immediately by taking notes. We believe written confirmation assists customers and that oral confirmation would place a burden on customers. Accordingly we make no change in the adopted rules on this subject. See WAC 480-120-213.
27 Twenty-One Day Delay Before Acting on Opt-In Directives: Company comments opposed the proposed rule's requirement that carriers must delay taking action approved by a customer's opt-in directive until twenty-one days after a confirmation has been sent to the customer. We have not changed the proposed rule.
28 In essence, commenters suggested that the waiting period required for acting on opt-in approval is unnecessary and that customers who opt-in often want the company to act immediately. The waiting period applies when the company wants to use, disclose, or permit access to call detail information (e.g., whom the customer calls and who calls the customer) unrelated to direct contact between the company and the customer through a telemarketing call. The purpose of the waiting period is to give the customer time to receive the confirmation of opt-in approval and, if an error has been made, time to contact the company and correct the error. Company concerns that they would not be able to respond to a customer's immediate need are not correct because an immediate response can be provided if the company is in direct contact with its customer. We provide for immediate use of call detail information (the subject of opt-in approval) during inbound and outbound telemarketing calls.
29 Commenters also suggest that the twenty-one-day waiting period prior to acting on a customer's opt-in approval is inconsistent with the requirement that a company must provide a customer with the customer's CPNI upon written request. When a company asks customers to opt-in so the company can use, disclose, or permit access to customers' CPNI, the waiting period is to protect customers against the possibility of erroneous disclosure of very sensitive personal information. Companies confuse their desire to have customer approval to use CPNI for a commercial purpose with customer requests. A request by a customer for the customer's own information does not carry with it the same concern for an erroneous disclosure that exists with a company's request.
30 We have made a change in the adopted rules that relieves companies of the obligation to provide written confirmation and wait twenty-one days to respond to customers when they are in direct contact with the customer during inbound and outbound telemarketing calls. See WAC 480-120-213(1).
31 Training for Customer Service Personnel with Access to CPNI: Consumer comments were made evidencing a concern that training for customer service personnel may not be sufficient to protect the privacy of customers. These comments were made in support of an all opt-in regime. We did not adopt an all opt-in regime, but our proposed rules, and now our adopted rules, require companies to use training and other safeguards to protect customer privacy. We believe that the adopted rules address the concern. See WAC 480-120-215(1).
32 Commission Lacks Authority to Require Companies Serving Fewer than 2% of the States Access Lines to File an Annual Certificate of Compliance and Statement Regarding Compliance: Smaller companies object to the requirement for a company officer to file a compliance certificate on an annual basis stating the officer has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with rules concerning CPNI, and to file a statement accompanying the certificate explaining how its operating procedures ensure that it is or is not in compliance with the rules on this topic. Companies claim an exemption to this requirement based on RCW 80.04.530(2). The commission has added a new subdivision (4) to the rule that provides that Class B companies need not report to the commission as required by subsection (3) of WAC 480-120-215.
33 Notice Related to Privacy Listings for Telephone Solicitation: One of our proposed rules concerns telephone solicitation calls to customers with nonpublished and unlisted telephone numbers. The rule requires that customers must be informed that inclusion in a solicitation list may be declined, and if declined, the company must not make any additional solicitation. This rule implements RCW 80.36.390, which permits people to indicate they would not like to receive any more solicitations. The commenter's concern is that the notice requirement is confusing, but no commenter stated how this notice requirement would be confusing. Because there is no clear statement of how the notice requirement might be confusing, and because we do not think it will cause confusion, we decline to make any change. See WAC 480-120-217.
34 CPNI is a National Issue Best Left to the FCC: Companies commented that control of CPNI is a national issue that should be left to the FCC to provide uniform regulations. We respond that control of CPNI is an issue of direct and substantive concern to customers and that it is appropriate for state commissions to adopt rules to balance customer privacy, speech, and association interests with the commercial speech interests of companies in a manner that is consistent with state law. Further, the FCC acknowledged in its rule that some state variation might be appropriate.
35 Customers Should Have the Opportunity to Correct Inaccurate Information: Consumers suggest that customers should have the opportunity to correct inaccurate information collected by a company. Unlike credit bureaus that collect information from others, the information with which we are concerned here is information in the possession of the telecommunications companies. Because the information at issue here would be collected directly from company sources, we are not concerned that it will be inaccurate. (Indeed, the concern for customer privacy, speech, and association interests arises precisely because of its accuracy in revealing sensitive personal communications and living habits.) We made no changes to the proposed rules as a result of this comment.
Docket No. UT-990146
| PROPOSED RULE SECTIONS |
DIFFERENCE BETWEEN PROPOSED AND ADOPTED RULE |
EXPLANATION OF CHANGE | INDEX TO COMMENTS IN APPENDIX A | |
| 1. | 480-120-201 Definitions. | Sec. 201 - Definitions. The definition section has changed by: 1) Addition of definition of "Associated company;" 2) change to call detail definition; 3) change to CPNI definition; 4) adds definition for data base management system (DBMS); 5) addition of definition for individually identifiable CPNI; 6) Change to private account information definition; and 7) elimination of definition of "Telecommunications related products and services." | Proposed rule contains a
definition of associated
company that replaces the
use of the phrase "any
entity under common
control of or with the
telecommunications
company."
|
See Appendix A, pages 1 and 2. |
| 2. | 480-120-202 Use of customer proprietary network information permitted. | Withdrawn. | See Appendix A, page 3. | |
| 3. | 480-120-203 Using a customer's call detail information. | Section 203 in the proposed rules required opt-in approval before use, disclosure or access to call detail. It provided for circumstances when approval was not required, e.g., to bill and collect. | In the adopted rule, opt-in approval for call detail is addressed in Section 204. | Opt-in and opt-out approval are addressed in the order. |
| 4. | Not in proposed rules. | Not in proposed rules | Section 203 in the adopted rules is taken from the FCC rules on CPNI and it prohibits one company from using CPNI to identify or track customers that call a competing company. | No comments. |
| 5. | 480-120-204 Using private account information in the provision of services. | This section in the proposed rules concerned those circumstances when no approval is necessary in order to undertake those actions normally required to operate a telephone network, or actions required by law. In the adopted rules, this material is expanded and is in Section 205. | The changes are found in Section 205 of the adopted rules, and include permission to provide customer premise equipment (CPE) and call answering, voice mail or messaging, voice storage and retrieval services, fax store and forward, and protocol conversion, and permission to provide call location information concerning the user of a commercial mobile service, as the term is defined in 47 U.S.C. § 222(d). | See Appendix A, pages 2 and 3-4. |
| 6. | 480-120-205 Using private account information during an inbound call. | This section in the proposed rules permitted use, disclosure, and access to private account information during inbound telemarketing call after express approval from the customer. | This topic is covered in Section 206 of the adopted rules. It permits only use of PAI and I-CPNI during both inbound and outbound telemarketing calls. Notice is required for outbound telemarketing calls. Express approval is required for in and outbound telemarketing calls unless approval secured prior to the call. If needed, approval must be recorded during outbound calls. | See Appendix A, pages 3-4. |
| 7. | 480-120-206 Using private account information for marketing telecommunications-related products and services and other products and services. | In proposed rule this section permitted use, but not disclosure or access, of private account information after notice and an opportunity to opt out. | In the adopted rules, use of private account information is addressed in Section 207. Use, but not disclosure or access, is permitted after notice and an opportunity to opt out. | No comments. |
| 8. | Not in proposed rules. | Not in proposed rules. | Section 208 of the adopted rules permits companies to use, but not disclose or permit access, to private account information without notice or customer approval to market telecommunications products or services related to service already provided to a customer. The information may also be shared with associated companies that also provide service to the customer. | See Appendix A, pages 4-5. |
| 9. | 480-120-207 Notice when use of private account information is permitted unless a customer directs otherwise ("opt-out"). | This topic is covered in Section 209 of the adopted rules. The requirement for annual opt-out notices has been changed to once every two years. The requirement to inform customers that telemarketers may have access to name and address and telephone number has been revised so that it does not imply that companies necessarily provide the information to telemarketers. The adopted rule also requires companies that seek opt-out approval to inform customers, if true, that the company has been using some private account information without having provided notice or seeking approval (see adopted WAC 480-120-208). | See Appendix A, pages 5-10. | |
| 10. | 480-120-208 Mechanisms for opting out of use of private customer account information. | The proposed rule required multiple methods for opting out. | Section 211 of the adopted rule addresses opt-out mechanism. No change was made. | See Appendix A, pages 6-7, 10-11. |
| 11. | 480-120-209 Notice when explicit ("opt-in") approval is required and mechanisms for explicit approval. | In the proposed rules, this section prescribed the notice necessary when a company seeks opt-in approval. It included a chart that described the various approval requirements based upon the type of information and use to which it would be put. | In the adopted rules, this is addressed in Section 212. One substantive change is the adopted rule permits a description of the general, rather than all, purposes for which I-CPNI information may be used. The adopted rules also requires companies that seek opt-out approval to inform customers, if true, that the company has been using some private account information without having provided notice or seeking approval (see adopted WAC 480-120-208). The chart has been revised to reflect the adopted rules. | See Appendix A, pages 6-10. |
| 12. | NOTE: WAC 480-120-210 has been used and repealed previously. It was not available for use in either the proposed or adopted rules. | |||
| 13. | 480-120-211 Confirming change in approval status. | The proposed rule required written confirmation of a change in opt-in or opt-out approval status and required companies to not act on an opt-in approval status change until twenty-one days after the confirmation is sent. | The adopted rule on this topic is Section 213. Included is an exception to the confirmation requirement when the notice is given during telemarketing call. There is also an exception to the confirmation and waiting period requirement when the customer requests the customer's own CPNI from the company. | See Appendix A, pages 9, and 12-14. |
| 14. | 480-120-212 Duration of customer approval or disapproval. | The rule states that a customer directive remains in effect until the customer revokes, modifies, or limits the directive. | The adopted rule is Section 214, and there is no change. | See Appendix A, pages 6-10, and 12. |
| 15. | 480-120-213 Safeguards required for using private account information. | The proposed rule requires companies to have in place certain safeguards to insure the confidentiality of CPNI is maintained in accordance with the rules. Included are a staff training requirement, a supervisory review process, and filing a compliance certificate. | The adopted rule is in Section 215, and there is no substantive change. | See Appendix A, page 14. |
| 16. | 480-120-214 Disclosing customer proprietary network information. | Companies must disclose customer CPNI upon written request of a customer. | The adopted rule is in Section 216, and there is no substantive change. | No comments. |
| 17. | 480-120-215 Using privacy listings for telephone solicitation. | The proposed rule limits company solicitation of customers with nonpublished or unlisted numbers. Companies must provide a means to request that they not be solicited, and inform customers that they may decline a telephone solicitation. | The adopted rule is in Section 217, and there is no substantive change. | See Appendix A, page 15. |
| 18. | 480-120-216 Using subscriber list information for purposes other than directory publishing. | The proposed rule restricted the use or disclosure of subscriber line information of customers who have nonpublished and unlisted numbers. | The adopted rule is Section 218, and there is no substantive change. | No comment. |
"Associated company" means any company that controls, is controlled by, or is under common control with, another company.
"Call detail" Except as provided in subsection (e), "call detail" means: (a) Any information that identifies or reveals for any specific call, the name of the caller (including name of a company, entity, or organization), the name of any person called, the location from which a call was made, the area code, prefix, any part of the telephone number of any participant, the time of day of a call, the duration of a call, or the cost of a call;
(b) The aggregation of information in subsection (a) of this subsection up to and including the level where a specific individual is associated with information on calls made to a given area code, prefix, or complete telephone number, whether that information is expressed through amount spent, number of calls, or number of minutes used and whether that information is expressed in monthly, less-than-monthly or greater-than-monthly units of time;
(c) The aggregation of the information in subsection (a) of this subsection up to and including the level where, expressed on a less-than-per-month basis, a specific individual is associated with general calling patterns (e.g. peak, off-peak, weekends) or amounts spent.
(d) Information associating a specific customer or telephone number with the number of calls that are answered or unanswered, correlated with a time of the day, day of the week, week or weeks, or by any time period shorter than one month.
(e) Call detail does not include information, other than information described in subsections (a), (b), (c), and (d) of this definition, compiled on a monthly basis. For example, call detail does not include the amount spent monthly by a specific customer on long distance calls, including the amount spent monthly on intra-LATA toll, intra-state toll, and interstate toll; the amount spent monthly on ancillary services; or the number of unanswered calls per month for a specific telephone number. Call detail does include, for example, the amount spent monthly calling area code XXX; that a particular telephone number was called X times in a month; the number of unanswered calls between the hours of 8:00 A.M. and 5:00 P.M. each month and the number of unanswered calls on Tuesdays each month.
"Customer proprietary network information (CPNI)" means: (a) Information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service, including call detail, and that is made available to the company by the customer solely by virtue of the customer-company relationship; and
(b) Information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a company; except that CPNI does not include subscriber list information.
(c) CPNI includes
(i) call detail,
(ii) private account information, and
(iii) information that is not individually identifiable to any particular customer.
"Company" means any telecommunications company as defined in RCW 80.04.010.
"Data base management system (DBMS)" means a data base used by local exchange company to provide automatic location information (ALI) to public safety answering points (PSAPs).
"Individually identifiable customer proprietary information (I-CPNI)" means call detail and private account information.
"Private account information (PAI)" means the subset of CPNI that does not include call detail but is associated with an identifiable individual.
"Subscriber list information" means any information: (a) Identifying the listed names of subscribers of a company and those subscribers' telephone numbers, addresses, or primary advertising classifications (as such classifications are assigned when service is established), or any combination of listed names, numbers, addresses, or classifications; and
(b) That the company or an affiliate has published caused to be published, or accepted for publication in any directory format.
"Telecommunications service" means the offering of telecommunications for a fee directly to the public, or to such classes of users to be effectively available directly to the public, regardless of the facilities used.
"Telemarketing" means contacting a person by telephone in an attempt to sell one or more products or services.
[]
[]
[]
(1) Initiate, render, coordinate, facilitate, bill, and collect for telecommunications services the customer has purchased or requested;
(2) Provide customer premise equipment and call answering, voice mail or messaging, voice storage and retrieval services, fax store and forward, and protocol conversion.
(3) Provide inside wiring installation, maintenance, and repair services.
(4) Protect the rights or property of the company, or to protect users of those services and other companies from fraudulent, abusive, or unlawful use of, or subscription to, such services;
(5) Resolve formal and informal complaints communicated to the company or commission by an applicant or customer;
(6) Provide records to a data base management system, or to any other database used in the provision of enhanced 9-1-1 or 9-1-1 service, or perform any other service for enhanced 9-1-1 or 9-1-1 purposes;
(7) Provide call location information concerning the user of a commercial mobile service, as the term is defined in 47 U.S.C. § 222(d) to,
(i) a public safety answering point, emergency medical service provider or emergency dispatch provider, public safety, fire service, or law enforcement official, or hospital emergency or trauma care facility, in order to respond to the user's call for emergency services;
(ii) inform the user's legal guardian or members of the user's immediate family of the user's location in an emergency situation that involves the risk of death or serious physical harm; or
(iii) provide information or database management services solely for purposes of assisting in the delivery of emergency services in response to an emergency.
(8) Comply with any applicable law, or any governmental rule, regulation or order, or any subpoena or other demand of apparently lawful authority.
[]
(1) A company may use an individual's I-CPNI to the extent necessary to provide any inbound telemarketing, referral, or administrative services to the customer for the duration of the call, if:
(a) Such call was initiated by the customer; and
(b) During the call and prior to the company's use of the information, the customer expresses approval for the company to use the information during the call.
(2) A company may use an individual's I-CPNI to the extent necessary to provide telemarketing referral, or administrative services to the customer for the duration of an outbound telemarketing call, if:
(a) The company provides oral notice during the call that complies with 480-120-212, except the oral notice is not required to comply with subsection (3)(i), (l), (m), (n), and (o), and subsection (4)(a) of 480-120-212; and
(b) During the call and prior to the company's use of the I-CPNI, the customer expresses approval for the company to use the information during the call in the manner required in 480-120-212 (4)(b).
(3) This section does not apply if:
(a) A company is permitted to use PAI because it has opt-out approval under WAC 480-120-209 and 211.
(b) A company is allowed to use PAI without approval by WAC 480-120-208; or
(c) A company is permitted to use I-CPNI because it has obtained opt-in approval under WAC 480-120-212.
[]
(1) Unless the customer directs otherwise, a telecommunications company and its associated companies may use a customer's PAI to market the company's or its associated companies' own products and services.
(2) A company may not use a customer's PAI information as provided in subsection (1) of this section unless it has provided notice to each customer pursuant to WAC 480-120-209, and provided the customer with a reasonable opportunity to direct the company not to use the information (opt-out) pursuant to WAC 480-120-211.
[]
(1) A company and its associated companies may use PAI without customer approval for the purpose of marketing their service offerings among the categories of service (i.e., local, interexchange, and commercial mobile radio service (CMRS)) to which the customer already subscribes from the same company.
(a) If a company provides different categories of service, and a customer subscribes to more than one category of service offered by the company, the company is permitted to share the customer's private account information with its associated companies that provide a service to the customer.
(b) If a company provides different categories of service, but a customer does not subscribe to more than one category of service offered by the company, the company is not permitted to share the customer's PAI with its associated companies. This subsection does not preclude a company from meeting the requirements of, and taking action under, WAC 480-120-209 and 211 or 212.
(2) A company may use customers' PAI related to that company's provision of local exchange service to market services formerly known as adjunct-to-basic services, such as, but not limited to, speed dialing, computer-provided directory assistance, call monitoring, call tracing, call blocking, call return, repeat dialing, call tracking, call waiting, caller I.D., call forwarding, and certain centrex-type features without customer approval.
[]
(2) A company may not use a customer's private account information pursuant to WAC 480-120-207(1) unless, at least once in the past two years, the company has provided a written notice to the customer, as provided for in this section, and provides the customer with a reasonable opportunity to opt-out at any time. The written notice may be provided by electronic mail to customers with whom the company ordinarily conducts business through electronic mail. A notice provided by electronic mail must comply with this section, but the company is not required to provide the means for response to an opt-out notice required in 480-120-211 (2)(c) and (d) to customers that receive the required notice by electronic mail.
(3) The written notice must be mailed separately from any advertising or promotional material. It may be included with the customer's bill.
(4) The written notice must be posted on the company's web site and must be readily accessible from the company's home page.
(5) Any opt-out notice must include the following items:
(a) A statement that the name, address, and telephone number, if published in the telephone directory, are not private information and may be used by telemarketers even if the customer opts-out;
(b) A statement that private account information may be used to market (i) telecommunications-related products and services, or (ii) other products and services, or both (i) and (ii), whichever applies;
(c) A statement that the customer has a right to direct the company not to use the customer's private account information and that doing so will not affect the provision of any services to which the customer subscribes;
(d) A disclaimer that an opt-out directive for private account information does not prevent the company from making telephone solicitation or telemarketing calls to the customer and does not prevent the company from including the customer's listed name, address, and telephone number in lists sold, leased or provided to other firms. This disclaimer is not required if the company's practice is to exclude customers who opt-out of private account information use from use or disclosure for telemarketing purposes or if the company does not sell, lease, or directly provide such lists to other firms;
(e) A statement that the customer should expect to receive written confirmation within thirty days of the directive, with a suggestion that the customer call the company if the confirmation is not received by this time;
(f) A prominent statement of specific instructions by which the customer can direct the company not to use the customer's private account information. The dedicated opt-out telephone number required by WAC 480-120-211 (2)(a) must be printed in bold type and in a size larger than the body of the notice.
(g) A statement substantially equivalent to one or more of the following, if true:
(i) "Without customer approval, the company uses your [the customer's] private account information for the purpose of marketing service offerings among the categories of service (i.e., local, interexchange, and CMRS) to which the customer already subscribes from the company;" or
(ii) "Without customer approval, the company shares your [the customer's] private account information with its associated companies"; or
(iii) "Without customer approval, the company uses your [the customer's] private account information to market adjuncts to basic services, such as, but not limited to, speed dialing, computer-provided directory assistance, call monitoring, call tracing, call blocking, call return, repeat dialing, call tracking, call waiting, caller I.D., call forwarding, and certain centrex features."
(6) The notice must be comprehensible and not misleading.
(7) The notice must be clearly legible, in twelve-point or larger typeface.
(8) A company may state in the notice that the use of PAI may enhance the company's ability to offer products and services tailored to the customer's needs, if such a statement is accurate.
(9) A company may state in the notice that the customer, upon affirmative written request, may compel the company to provide PAI to any person.
[]
Reviser's note: The brackets and enclosed material in the text of the above section occurred in the copy filed by the agency and appear in the Register pursuant to the requirements of RCW 34.08.040.
NEW SECTION
WAC 480-120-211
Mechanisms for opting out of use of
private customer account information (PAI).
(1) This section
applies when a company, pursuant to WAC 480-120-207(1), is
permitted to use a customer's PAI unless the customer directs
otherwise (opt-out).
(2) At a minimum, companies must allow customers to opt-out using the following mechanisms, which must be provided by the company:
(a) Calling a dedicated, toll-free telephone number that provides access to a live or automated operator at all times. The telephone number must be accessible from all areas of the state where the company provides service. Without receiving unrelated information from the company before giving their directive, customers must have the option to opt-out;
(b) Calling any telephone number that the company provides for billing or customer service inquiries. This subsection permits companies to transfer customers directly to the number required in (a) of this subsection;
(c) Marking a box or blank on the notice and returning it to a stated address;
(d) Returning a postage-paid card included with the notice;
(e) Electronic mail, if the company otherwise receives or sends electronic mail messages to its customers; and
(f) Submitting an opt-out form found on the company's web site. The opt-out form must be directly linked to the written notice required by WAC 480-120-209(2). The web site must be accessible to the public using generally available browser software.
(3) A company may require, as part of any opt-out mechanism, that the customer comply with reasonable procedures to verify the identity of the customer. Any opt-out verification procedure must be no more burdensome on the customer than any verification procedure used by the company when a customer provides express (opt-in) approval or orders additional services on an existing account.
[]
(2) A company must maintain records of customer notification and approval.
(3) Any solicitation for express customer approval must be accompanied by a written notice to the customer of the customer's right to restrict use, disclosure, and access to that customer's I-CPNI. The notice must state that I-CPNI includes all information related to specific calls initiated or received by a customer.
(a) The notice must state that the customer has a right under federal and state law to protect the confidentiality and limit use, disclosure, and access to the customer's I-CPNI.
(b) The notice must state that the company has a duty under federal and state law to protect the confidentiality of I-CPNI and to comply with the customer's limitations on use, disclosure, and access to the information.
(c) The notice must state the types of information that constitute I-CPNI. If a company is seeking express approval to use, disclose, or permit access to call detail information, the notice must specify that call detail includes the telephone numbers of all calls made or received by the customer.
(d) The notice must specify whether the I-CPNI can be used, disclosed, or accessed by any entity or person other than the company providing the notice.
(e) The notice must describe general purposes for which I-CPNI can be used, disclosed, or accessed and specifically disclose whether the I-CPNI can be used to market services to the customer.
(f) The notice must inform the customer that approval by the customer is voluntary and that no action is required to protect the customer's I-CPNI from disclosure to third parties.
(g) The notice must inform the customer that deciding not to opt-in will not affect the provision of any services to which the customer subscribes.
(h) The notice must be comprehensible and must not be misleading.
(i) The notice must be clearly legible, in twelve-point or larger type, and be placed so as to be readily apparent to a customer.
(j) If any portion of a notice is translated into another language, then all portions of the notice must be translated into that language.
(k) A company may state in the notice that the customer's approval to use, disclose, or permit access to I-CPNI may enhance the company's ability to offer products and services tailored to the customer's needs, if the statement is accurate.
(l) A company may state in the notice that the customer, upon affirmative written request, may compel the company to disclose the customer's I-CPNI to any person.
(m) The notice must state that any approval for use, disclosure of, or access to I-CPNI may be revoked at any time.
(n) The notice must state that the customer should expect to receive written confirmation within thirty days and suggest that the customer call the company if the confirmation is not received by this time.
(o) A statement substantially equivalent to one or more of the following, if true,
(i) "Without customer approval, the company uses your [the customer's] private account information for the purpose of marketing service offerings among the categories of service (i.e., local, interexchange, and CMRS) to which the customer already subscribes from the company;" or
(ii) "Without customer approval the company shares your [the customer's] PAI with its associated companies;" or
(iii) "Without customer approval the company uses your [the customer's] PAI to market adjuncts to basic services, such as, but not limited to, speed dialing, computer-provided directory assistance, call monitoring, call tracing, call blocking, call return, repeat dialing, call tracking, call waiting, caller I.D., call forwarding, and certain centrex features."
(4) Opt-in approval by the customer must be either:
(a) In writing, including messages by facsimile or electronic mail; or
(b) Orally, if the oral approval is verified by an independent third-party using substantially the same procedures as provided in WAC 480-120-147 (1)(c) or if the company makes a sound recording of the oral approval sufficient to establish knowing approval.
(5) The following table illustrates information
identified in WAC 480-120-204 through WAC 480-120-208 and
whether it would be considered to require express "opt-in"
approval, an "opt-out" directive or is not covered by the
rule.
Depends on the Type of Information
| Type of Activity |
Type of Information | |
| Call Detail (specific calls, etc.) |
Private Account Info. (excludes call detail) |
|
| Disclosing to third parties | Opt-in. (Sec. 204) |
Opt-in (Sec. 204) |
| Marketing products and services out of category to which customer already subscribes | Opt-in (Sec. 204) |
Opt-out (Sec. 207) |
| Marketing products and services within the category to which customer subscribes | Opt-in (Sec. 204) |
No approval (Sec. 208) |
| In & outbound telemarketing of products and services out of category to which customer already subscribes | Oral opt-in good
for duration of
call (Sec. 206) |
Oral opt-in, good for duration of call (Sec. 206; but no approval during call if company has opt-out approval under 207) |
| In & outbound telemarketing of products and services within the category to which customer subscribes | Oral opt-in good
for duration of
call (Sec. 206) |
No approval (Sec. 208) |
[]
Reviser's note: The brackets and enclosed material in the text of the above section occurred in the copy filed by the agency and appear in the Register pursuant to the requirements of RCW 34.08.040.
NEW SECTION
WAC 480-120-213
Confirming changes in customer approval
status.
(1) Each time a company receives a customer's opt-out
directive or opt-in approval that changes the customer's
approval status, the company must confirm in writing the
change in approval status within thirty days. The written
confirmation must either be mailed to the customer's billing
address, or may be sent to the customer's electronic mail
address if the directive was sent to the company by
electric-mail, and must be separate from any other mail from
the company. The confirmation must include a short summary of
the effect of the customer's opt-out or opt-in choice, and
must provide a reasonable method to notify the company if the
company made an error in changing the customer's approval
status.
(2) A company may not use, disclose, or permit access to a customer's call detail based on a customer's express opt-in approval until three weeks after mailing the confirmation to the customer.
(3) This section does not apply when approval was received for the duration of an inbound or outbound telemarketing call as provided for in WAC 480-120-206.
(4) This section does not apply when a customer requests disclosure of CPNI as provided for in WAC 480-120-216.
[]
Reviser's note: The typographical error in the above section occurred in the copy filed by the agency and appears in the Register pursuant to the requirements of RCW 34.08.040.
NEW SECTION
WAC 480-120-214
Duration of customer approval or
disapproval.
A company must continue to follow any opt-out
directive or opt-in approval received until the customer
revokes the directive or approval.
[]
(1) Companies must train all personnel who have access to I-CPNI as to when they are and are not authorized to use, disclose, or permit access to CPNI, and companies must implement an express disciplinary process to deal with violations of the requirement.
(2) Companies must establish a supervisory review process regarding company compliance with rules governing use, disclosure of, or access to CPNI for outbound marketing situations and must maintain records of company compliance for at least two years. Specifically, sales personnel must obtain supervisory approval of any proposed outbound marketing request.
(3) Companies must have an officer, as an agent of the company, sign a compliance certificate on an annual basis stating the officer has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with rules concerning CPNI. The company must provide a statement accompanying the certificate explaining how its operating procedures ensure that it is or is not in compliance with the rules on this topic. The certificate and the compliance statement must be filed with the company's annual report to the commission.
(4) Class B companies need not report to the commission as required by subsection (3) of this section. However, these companies must retain, for at least three years from the date they are created, all records that would be relevant, in the event of a complaint or investigation, to a determination of the company's compliance.
[]
[]
(2) When the company provides the notice required in subsection (1) of this section in writing, the notice must include a toll-free number and an electronic mail address the customer may use to state that solicitation should not be made.
(3) When the company provides the notice in subsection (1) of this section by phone call, the customer must be informed that inclusion in a solicitation list may be declined and if declined, the company must not make any additional solicitation.
[]
[]
[]
The following sections of the Washington Administrative Code are repealed:
| WAC 480-120-144 | Use of privacy listings for telephone solicitation. |
| WAC 480-120-151 | Telecommunications carriers' use of customer proprietary network information (CPNI) |
| WAC 480-120-152 | Notice and approval required for use of customer proprietary network information (CPNI). |
| WAC 480-120-153 | Safeguards required for use of customer proprietary network information (CPNI). |
| WAC 480-120-154 | Definitions. |