EXECUTIVE SUMMARY

CTIA members are committed to safeguarding the privacy and security of their customers’ data, and they have invested heavily in programs and processes to do so. Although CTIA members acknowledge Commission efforts to address the complicated issues of data privacy and security, the rules adopted in the Report and Order (the “Rules”) actually undermine the Commission’s stated goals.

CTIA’s Petition for Reconsideration (“Petition”) identifies material errors and omissions in the Report and Order and urges the Commission to address several arguments that were presented to the Commission during the Comment period but were not fully considered, and vacate, modify, or clarify the Rules accordingly. Specifically, the Commission should reconsider its application of the Rules to broadband service. If the Commission nevertheless declines to vacate the Rules in their entirety, it should limit the scope of information to which the Rules apply to customer proprietary network information (“CPNI”), amend certain definitions in the Rules, reconsider restrictions that the Rules impose on the use of financial inducements and service offerings in exchange for the use of customer information, allow providers flexibility to determine when to provide notice to customers, and narrow several aspects of the data breach notification requirements to align with the approaches taken by the Federal Trade Commission (“FTC”) and state laws.

Moreover, CTIA encourages the Commission to follow Commissioner Pai’s suggestion and fully harmonize the Rules with the longstanding guidance provided by the FTC. For instance, the Rules should allow providers to infer consent to use customer information for internal purposes and first-party marketing in most circumstances and should align the definition of “sensitive information” with the FTC’s definition, which does not include web browsing or application usage history.

In addition, the Commission should vacate the Rules insofar as they are grounded in any statutory authority other than Section 222(c). The Commission suggests that Section 201(b), Section 202(a), Title III, and Section 706 may provide alternative bases for the Rules. The Commission’s ability to regulate the privacy and security of customers’ information is limited, however, to the authority Congress granted in Section 222(c), and none of these other provisions gives the Commission authority to impose privacy and security requirements.

Download Full Document