Telecommunications Act of 1996 (Section 222)

Question 1

Sector

Answer 1

Telecommunications

Question 2

Year Passed/Amended

Answer 2

1996; most recent rules promulgated 2007

Question 3

Original Purpose

Answer 3

Govern privacy of customer information provided to telecommunications carriers

Question 4

Primary Requirements

Answer 4

Can’t sell customer data to third parties without consent; multiple restrictions on access, use and disclosure

Question 5

Entities subject to law

Answer 5

Telecommunications carriers and voice-over-internet protocol (VoIP) providers; ISPs; broadband providers (per the FCC Broadband Privacy Rule)

Question 6

Term for relevant PII or regulated data

Answer 6

customer proprietary network information (CPNI)

Question 7

Definition of relevant PII or regulated data

Answer 7

Information collected by carriers related to their subscribers. Includes subscription info, services used, network and billing info, phone features and capabilities, and call log data.

DOES NOT include name, telephone number, and address.

Question 8

Civil or criminal?

Answer 8

Civil only

Question 9

Enforcing authority - civil

Answer 9

FCC

Question 10

Penalties - civil

Answer 10

[not mentioned in the book]

Question 11

Preemption?

Answer 11

Unclear–not mentioned in the book, and it looks case-by-case based on some light independent research

Question 12

Private right of action?

Answer 12

Not mentioned in the book

Question 13

FIP individual rights addressed

Answer 13

Notice, choice and consent, access (i.e., all)

Question 14

Notice requirements

Answer 14

Breach notifications: carriers must notify law enforcement within seven days of breach

Question 15

Choice and consent provisions

Answer 15

Can only use CPNI with customer consent.

Internal: opt-out (due to First Amendment rights of holders)

External (third party, joint venture partners and independent marketing contractors): opt-in

Question 16

Exceptions for consent

Answer 16

(a) as required by law;
(b) can use, disclose, or provide marketing offerings among service categories to which customers already subscribe;
(c) billing and collections;
(d) fraud prevention;
(e) customer service;
(f) emergency services

Question 17

Access requirements

Answer 17

Customers get access; must be password-protected

Question 18

FIP Information Control principles addressed

Answer 18

None (not information security or information quality)

Question 19

FIP Information Lifecycle principles addressed

Answer 19

Use and retention, disclosure (not collection/disposal)

Question 20

Use and retention provisions

Answer 20

Discussed as part of the exceptions for consent. Do not need consent for uses among service categories to which customers already subscribe; billing and collections; fraud prevention; customer service; and emergency services.

Question 21

Disclosure provisions

Answer 21

Discussed as part of the exceptions for consent. Do not need consent for disclosures for services to which customers already subscribe; billing and collections; fraud prevention; customer service; and emergency services.

Question 22

FIP management principles addressed

Answer 22

Administration; monitoring and enforcement (so, both)

Question 23

Administration requirements

Answer 23

Detailed compliance requirements (not discussed in book)

Question 24

Monitoring and enforcement requirements

Answer 24

Must certify compliance annually, explain how their systems ensure compliance and provide an annual summary of consumer complaints related to unauthorized disclosure of CPNI