Telecom Firms Oppose FCC's New Rules on Phone Privacy

The telecom industry is warning that new federal phone privacy rules are too broad and will hurt competition, but consumer advocates are praising the measures as a significant step in protecting customers' phone records from unauthorized disclosure.

The rules, released this week by the Federal Communications Commission, are aimed in large part at preventing the practice of pretexting, where a caller impersonates a phone customer to gain access to his or her phone records and then sells them. One rule, for example, bans companies from releasing records of a customer's phone calls to anyone over the telephone unless a password is provided.

Most significantly for industry, the rules require telecommunications companies to gain a customer's permission before sharing his or her phone records with a joint venture partner or third-party marketer.

"This is an extremely anti-consumer outcome," said Walter B. McCormick Jr., president and chief executive officer of USTelecom, the nation's largest trade association representing telephone, video, cable and Internet service providers. "This approach also will impede competition, and will particularly impact the smaller rural service providers, who now will be unable to work with outside marketing partners, even though they have no connection to illegal pretexting."

Consumer advocates said, however, that the rules are essential to consumer privacy and prevention of pretexting. "Consumers now have greater control over who has access to their private and detailed phone records," said Jeannine Kenney, senior policy analyst at Consumers Union.

The rules were prompted by concerns raised in 2005 by the Electronic Privacy Information Center, a nonprofit advocacy group, that telecommunications carriers were not properly safeguarding customer data, leaving it vulnerable to pretexting. The technique was used by private investigators hired by Hewlett-Packard executives to snoop on board members in a scandal that erupted last year.

The FCC also was reacting to an alarming spate of data breaches, which have compromised the personal information of more than 150 million U.S. residents since January 2005, the Privacy Rights Clearinghouse said.

Industry officials said they took their customers' privacy seriously and agree that data thieves should be stopped, but the FCC's rules go too far, especially the "opt-in" rule requiring companies to obtain a customer's consent before sharing their data, McCormick said.

"We are deeply concerned that the FCC is taking an overly broad approach, far beyond protecting the legitimate privacy interests of call detail information to preventing any marketing of new services, bundled offerings and new applications--using joint venture partners or independent contractors--that can save consumers money," he said.

The FCC's reasoning behind the opt-in provision is that once customer data is shared with a third party, the carrier no longer has control over it and the risk of data loss grows, the commissioners said in a text accompanying the rule. They noted that disclosure of unauthorized records not only can invade individual privacy but may further acts of domestic violence or stalking.

Current rules, by which customers must opt-out, or take the initiative to tell a company not to share their data, do not adequately protect consumer privacy because most customers either do not read or do not understand carriers' opt-out notices, the FCC said.

Phone and cable companies have long turned to marketing firms to contact customers who might want new services in the belief that those firms can often do the job more effectively. Under the new rule, as a practical matter, the company could no longer subcontract that role unless it obtained consent from individual customers before sharing their data, industry officials said.

"What concerns us is there's no evidence that suggests that sharing data with a third party marketer is less safe than if it stays with us, whether it's a question of pretexting or someone leaving their laptop in an airport lounge or someone hacking into a database," said an industry official, who requested anonymity because the industry is still evaluating legal challenges.

But the opt-in approach is "clearly what consumers prefer," said Marc Rotenberg, EPIC executive director. "It's not difficult to obtain consent if consumers are given opportunity."

The rules also require that a company notify a customer when an online account is opened or an online password is changed, measures aimed at stemming theft of personal data such as billing statements through company Web sites.

Consumer advocates and some commission members criticized a provision that allows a company to delay notifying a customer of a data breach for 14 days to give law enforcement time to investigate a breach. This, commissioner Michael J. Copps said, "is akin to not telling victims of a burglary that their home has been broken into because law enforcement needs to continue dusting for fingerprints."

Sprint Nextel, which has joint venture with four cable companies to provide voice, video, broadband and wireless services, said the rules would not jeopardize that partnership.

The rules are to take effect on or after Nov. 2. Failure to comply can result in civil penalties. The FCC is considering additional rules to protect consumer's personal data.