CPNI Opt-in/Opt-out Rules, Pretexting and Covered Entities
After U.S. West v. FCC struck a 1998 opt-in rule on First Amendment grounds, carriers' own use of CPNI shifted to opt-out. The 2007 CPNI order requires opt-in before sharing CPNI with joint venture partners/contractors and adds anti-pretexting rules (passwords, breach notice to law enforcement within seven business days).
In 1998 the FCC required express opt-in consent before carriers used CPNI even for their own marketing. U.S. West, Inc. v. FCC (1999, 10th Cir.) struck this down on First Amendment grounds, shifting carriers' own use to opt-out. The 2002 rules required opt-in before sharing CPNI with third parties but allowed sharing with joint venturers/contractors unless customers opted out within 30 days.
The 2007 CPNI order now requires customers to opt in before carriers share CPNI with joint venture partners and independent contractors for marketing. It also targets Pretexting: carriers must notify law enforcement of a CPNI security breach within seven business days, require a password for phone/online CPNI access, and certify compliance annually with a summary of complaints.
CPNI rules apply to telecommunications carriers and interconnected VoIP providers. The FCC does not regulate streaming Over-the-top provider (OTT) companies. A 2016 FCC rule regulating broadband ISP privacy was repealed under the Trump administration; ISPs today are subject to the general Section 222 CPNI requirements.