EPIC logo

(A PDF version is also available with more accurate formatting.)

Before the
Federal Communications Commission
Washington, D.C. 20554

In the Matter of

Telecommunications Carriers'
Use Of Customer
Proprietary Network Information

)
)
)
)
)

CC Docket No. 96-115 CC
Docket No. 96-149


To: The Commission

REPLY COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER, AMERICAN CIVIL LIBERTIES UNION, AMERICAN LIBRARY ASSOCIATION, CENTER FOR DIGITAL DEMOCRACY, CENTER FOR MEDIA EDUCATION, COMPUTER PROFESSIONALS FOR SOCIAL RESPONSIBILITY, CONSUMER ACTION, CONSUMER FEDERATION OF AMERICA, JUNKBUSTERS, MEDIA ACCESS PROJECT, NATIONAL CONSUMERS LEAGUE, NETACTION, PRIVACYACTIVISM, PRIVACY JOURNAL, PRIVACY RIGHTS CLEARINGHOUSE, PRIVACY TIMES, PUBLIC CITIZEN LITIGATION GROUP, AND US PIRG

November 16, 2001

Pursuant to the notice published by the Federal Communications Commission on October 2, 2001 regarding Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, the Electronic Privacy Information Center, American Civil Liberties Union, American Library Association, Center for Digital, Democracy, Center for Media Education, Computer Professionals for Social Responsibility, Consumer Action, Consumer Federation of America, Junkbusters, Media Access Project, National Consumers League, NetAction, Privacyactivism, Privacy Journal, Privacy Rights Clearinghouse, Privacy Times, Public Citizen Litigation Group, and US PIRG submit the following comments and incorporate the original filing by reference.

The commentators again urge the Commission to meet its fundamental responsibility to protect the privacy rights of those using the Nation's telecommunications system by implementing an opt-in approach towards telecommunications carriers' use of customer proprietary network information (CPNI) pursuant to section 222 of the Communications Act of 1996.  In promulgating section 222, Congress addressed a particular privacy concern: "protecting the confidentiality of proprietary information." [1] These reply comments demonstrate that an opt-out approach to the use of CPNI does not adequately protect this articulated concern because opt-out systems have systematically failed to give consumers control over their personal information. Therefore, employing an opt-in approach is consistent with the First Amendment and is the only reasonable fit with Congressional intent to protect the privacy of telephone subscribers' personal information.

I.       Opt-out approaches have been Proven Insufficient to Adequately Protect Customer Privacy as Mandated by Congress in the Enactment of Section 222

A.        Opt-Out Notices Fail to Protect Customers' Legitimate Privacy Interest
There is substantial evidence establishing that an opt-in approach is the only effective method to protect sensitive private information because opt-out approaches are not calculated to reasonably inform consumers about their privacy options.  Not only is the burden on the customer to pay for and return their opt-out notice, such notices are vague, incoherent, and often concealed in a pile of less important notices mailed from the same source. [2]   The importance of the notices, as well as their purpose, is rarely brought to the customer's attention in any coherent fashion.  Studies have revealed that, "the majority of the general public is still unaware of the exact nature of marketing uses and the availability of opt-out choices." [3]
AT&T cites U.S. v. Playboy for the proposition that speculation about the inadequacy of opt-out is insufficient to justify the heightened restrictions imposed by an opt-in regime. [4] AT&T's reliance on Playboy is faulty for two reasons. The restrictions at issue in Playboy were content based. [5] If a statute regulates speech based on its content, it must be narrowly tailored to promote a compelling government interest. [6] If a less restrictive alternative would serve the government's purpose, the legislature must use that alternative. [7] In contrast, the regulations at interest here trigger only intermediate scrutiny under the Central Hudson analysis, [8] under which analysis the means propounded need not be the least restrictive means. Under Central Hudson, the government may regulate commercial speech that is neither misleading nor unlawful if: (1) there is substantial interest in support of its regulation; (2) the restriction on commercial speech directly and materially advances that interest; and (3) the regulation is narrowly drawn. [9]    The Supreme Court has carefully detailed the difference between the "narrowly tailored" fit required under strict scrutiny, and that required under intermediate scrutiny.
With respect to this prong, the differences between commercial speech and noncommercial speech are manifest. In Fox, we made clear that the "least restrictive means" test has no role in the commercial speech context. "What our decisions require," instead, "is a ‘fit' between the legislature's ends and the means chosen to accomplish those ends,' a fit that is not necessarily perfect, but reasonable; that represents not necessarily the single best disposition but one whose scope is ‘in proportion to the interest served,' that employs not necessarily the least restrictive means but … a means narrowly tailored to achieve the desired objective." [10]
Therefore, because the CPNI regulations are subject to intermediate scrutiny, unlike in Playboy the Commission need not prove that an opt-in regime is the least restrictive alternative, only that it is a "means narrowly tailored to achieve the desired objective." [11]
AT&T's reliance on Playboy also fails to account for the fact that the Commission's decision to promulgate an opt-in regime relies on more than "anecdote and supposition," [12] because it was the result of careful calculation and assessment of both approaches before the Commission chose to favor the more protective opt-in approach. [13] In addition, there is substantial evidence that opt-out regimes implemented in other circumstances or by other agencies have failed to protect the customer privacy that was the impetus of the regulation.
The recent experience of consumers with the Gramm-Leach-Blilely Act demonstrates the failure of the opt-out regime to adequate protect sensitive personal information. Gramm-Leach-Bliley Act requires banks, insurance agencies, and brokerage firms to send notice and opportunity to opt-out to customers before sharing their non-public information. [14] According to the law, these financial privacy notices are supposed to be written in a "clear and conspicuous" style; however, few institutions implementing GLB have provided consumers with "clear and conspicuous" [15] notices, as those terms would be defined by most customers. Opt-out notices mailed out by financial institutions in compliance with the GLBA were unintelligible and couched in language several grade levels above the reading capacity of the majority of Americans. [16]   Several experts have highlighted the inadequacy of such statements.  Mark Hochhauser, PhD, a readability consultant, reviewed sixty GLBA opt-out notices, calculating that they averaged at a 3rd or 4th year college reading level rather than the junior high level comprehensible to the general public. [17]   For example:
If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties, you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). [18]  
AT&T states: "As for those customers who decline to opt out, there is no reason to believe that they place a high value on keeping their CPNI private, and thus no basis for concluding that an opt in requirement materially furthers any interest in protecting privacy." Expert studies illustrate that, in fact, few consumers recall seeing notices even when the notices are required to be clear and conspicuous, which suggests that when businesses do not want consumers to see a notice, consumers will not. [19]
Sprint Corporation asserts that an opt-out regime is adequate to protect consumer privacy, relying upon the fact that in the interim period following U.S. West, "no serious problems associated with carriers' use of their customers' CPNI have arisen." [20]    However, the period following U.S. West has not been an opt-out regime; instead, there have been no uniform regulations following the 10th Circuit's vacating of the CPNI regulations. However, a true opt-out regime, as implemented under GLBA, has generated numerous complaints, as consumers view the financial institutions' unintelligible notices as an attempt to hoodwink them. [21]   In fact, the opt-out approach promulgated under the GLBA has proven so ineffective that the Federal Trade Commission has scheduled an Interagency Public Workshop to address some of the concerns that have been raised "about the clarity and effectiveness of some of the privacy notices" sent out by financial institutions in response to the GLBA. [22]   Specifically, the concerns raised by consumers have included complaints that "the notices are confusing and/or misleading and that the opt-out disclosures are hard to find." [23] In light of the difficulty faced by another government commission in the implementation of an opt-out approach, it is reasonable for the Commission to have chosen opt-in as a narrowly tailored privacy protection. 
B.        Silence Does Not Constitute Customer Approval

Section 222(c)(1) requires a telecommunications carrier to obtain a customer's approval before it can use, disclose, or allow access to that customer's CPNI. [24] Those advocating an opt-out approach rely upon the assumption that customer silence, or inaction, signals approval (permission and intent). [25] This assumption runs counter to all other commercial transactions, in which "approval" requires an affirmative action by an informed consumer. [26] Therefore, the assertion that an opt-out regime is sufficient to meet the requirements of section 222(c)(1) fails to account for the real, legal, and commercial definitions of approval. [27]

II.           An Opt-In System Improves Information Flow, Increases Quality of the Telecommunications Service, and Reduces Prices

Proponents of an opt-out approach argue that such a system is economically preferable, as it increases the amount of information available to both producers and consumers, allows telecommunications carriers to improve services offered by tailoring these services to specific customers, and reduces prices. [28] This assertion erroneously assumes that the only costs at issue are those of production, without accounting for increased transaction costs incurred by the consumer in seeking to exercise privacy rights created by statute. [29]

Opt-out regimes create an economic incentive for businesses to make it difficult for consumers to exercise their preference not to disclose personal information to others. Because opt-out systems do not require businesses to create inducements for consumers to choose affirmatively to disclose personal information, these systems encourage firms to engage in strategic behavior and thus inflate consumer transaction costs. [30]   In contrast, an opt-in system would permit consumers who wish to protect their privacy to do so, while encouraging telecommunications carriers to eliminate consumer transaction costs. [31]   Because carriers profit from the use of consumer information, and thus want as much information as possible, carriers would have an incentive to make it as easy as possible for consumers to consent to the use of their personal information.  Such a system might include a comprehensible list of the benefits to opting-in, contained within a clearly marked mailing, with a pre-paid stamped envelope.  This would preclude the transaction costs involved with attempting to contact via phone customers with the authority to opt-in.  It also reduces the strategic behavior costs associated with opt-out—the costs associated with providing consumers a message that they don't want consumers to receive—because the telecommunications carriers would have an incentive to lower costs associated with providing customers a message that they are very eager to have the customer receive. [32]   Finally, opt-in may decrease the amount of information in the marketplace, but it permits telecommunications carriers to target products at those who have specified an interest in such information: thereby decreasing the wasted costs associated with targeting uninterested customers. [33]

III.    Legal Scholars Believe Opt-In is Both Fair and Efficient

Legal scholars who have considered the issue of opt-in versus opt-out have invariably concluded that the opt-in regime is both more likely to safeguard privacy interests and is more economically efficient. Opt-in upholds the primary purpose of privacy legislation: to ensure that consumers are given some effective means of control over the use of personal information held by others. As Professor Mark Budnitz explained:
Consumers should have the ability to opt in because a choice to opt in gives consumers, in the first instance, greater control over their personal information. . .  .  Consumers may fail to opt out for a variety of reasons that have little to do with whether they truly want a company to collect and disseminate information about them. For example, they may not understand the nature of the information that will be collected, aggregated, and disseminated; how the company will use the information for its internal purposes; the nature of third parties to whom the data may be distributed; or what those third parties may do with the data. . . . Moreover, the opt-out method is easy for companies to abuse.  The opt-in approach is far more consistent with consumer control because it assumes consumers do not want their privacy invaded. Therefore, consumers automatically are protected from invasions. If consumers are willing to give away their privacy or to trade it in return for a benefit they desire, they have the ability to do so. [34]
In the specific context of CPNI, legal scholars have determined that the opt-in rule promotes markets efficiency. As Professor Paul Schwartz has observed:
The goal regarding individually identified CPNI should be to find a way to permit consumers to make informed decisions about use of their information at the least cost to them. To reach this goal, companies should be forced to internalize not only their own costs but at least some of their customers'. Such action, by raising the "price" of personal information and privacy violations, will improve efficiency in "privacy price discrimination." [35]
Professor Julie Cohen's review of the nature of consent obtained under the two regimes emphasizes the significance of opt-in as the more efficient way to allocate the burden to act where information asymmetries exist:
If we reconceptualized the government interest in protecting data privacy as an interest in correcting information asymmetries in the market for personally-identified data, the Central Hudson analysis (or a more stringent review) might proceed quite differently. In particular, an explicitly economic approach to regulation of speech markets would save regulations like the opt-in rule challenged in U.S. West, which focus on the quality as well as the fact of consent. [36]
Professor Daniel Solove, reviewing this recent literature on opt-in versus opt-out regimes, writes:
Thus, providing people with opt-out rights and privacy policies does little to give individuals much control over the information collected and used. Regulation mandating that consumers opt-in rather than opt-out will more effectively control the flow of information between unequal parties. [37]

Professor Solove concludes, "effective privacy regulation must require an opt-in system which requires a meaningful range of choices as well as addresses inequalities in knowledge and power and other impediments to voluntary and informed consent." [38]

IV.    Conclusion

The Commission has a fundamental responsibility, mandated by Congress, to implement adequate mechanisms for protecting the privacy of telecommunications customers.  The U.S. West court vacated the initial rulemaking because there was no showing of specific harm that would result to customers upon implementation of the less speech-restrictive opt-out approach.  These comments illustrate that there is ample evidence of such harm that has resulted to consumers upon implementation of similar systems. In the light of such tangible evidence, the Commission's responsibility to protect the privacy of telecommunications customers can only be met by implementing an opt-in approach.

CERTIFICATE OF SERVICE
            I, Marc Rotenberg, certify that copies of the foregoing Reply Comments of Electronic Privacy Information Center will be sent by first class mail to the parties listed below.
Chairman Michael K. Powell
Federal Communications Commission

445 12th Street, SW
Washington, DC 20554

Commissioner Kathleen Q. Abernathy
Federal Communications Commission

445 12th Street, SW
Washington, DC 20554

Commissioner Michael J. Copps
Federal Communications Commission
445 12th Street, SW

Washington, DC 20554


Commissioner Kevin J. Martin
Federal Communications Commission
445 12th Street, SW
Washington, DC 20554

Dorothy Attwood
Chief of Common Carrier Bureau
Federal Communications Commission
445 12th St., SW

Washington, DC  20554

Marcy Greene
Attorney Advisor
Common Carrier Division
Federal Communications Commission
445 12th St., SW
Washington, DC  20554

Peter D. Keisler
Daniel Meron
Jonathon F. Cohn
Sidley Austin Brown & Wood
1501 K Street, NW
Washington, DC 20005

Mark C. Rosenblum
Judy Sello
AT&T Corp.
Room 1135L
2295 North Maple Avenue
Basking Ridge, NJ 07921

Michael B. Fingerhut
Richard Juhnke
Jay C. Keithley
401 9th Street NW,
Suite 400
Washington, DC 20004

Joseph Assenzo
6160 Sprint Parkway
Overland Park, KS 66251

Davida Grant
Gary Phillips
Paul K. Mancini
SBC Communications, Inc.
1401 Eye Street, NW
Suite 1100
Washington, DC 20005

_____________________

Marc Rotenberg



[1] Section 222(a). 
[2] See Paul M. Schwartz & Joel R. Reidenberg, Data Privacy Law: A Study of United States Data Protection 329-30 (1996) ("The industry itself recommends the use of only vague notices that do not offer meaningful disclosure of practices.")
[3] IdSee also Privacy Rights Clearinghouse Second Annual Report 21 (1995), cited in Jerry Kang, Information Privacy in Cyberspace Transactions, 50 Stan. L. Rev. 1193, 1253 n.255 (1998) ("Many consumers are unaware of personal information collection and marketing practices. They are misinformed about the scope of existing privacy law, and generally believe there are far more safeguards than actually exist.")
[4] See Comments of AT&T Corp., In the Matter of Implementation of the Telecommunications Act of 1996, Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information; Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended, CC Docket No. 96-115, CC Docket No. 96-149, Nov. 01, 2001, citing to U.S. v. Playboy, 529 U.S. 803 (2000). 
[5] See U.S. v. Playboy, 529 U.S. 803, 813 (2000).
[6] See id.
[7] See id.
[8] See U.S. West v. FCC, 182 F.3d at 1224, 1232-33 & n.4 (10th Cir. 1999).
[9] Central Hudson Gas & Elec. Corp. v. Public Serv. Comm'n, 447 U.S. 557, 564-65 (1980).
[10] Florida Bar v. Went For It, Inc, 515 U.S. 618, 632 (1995). 
[11] Id.
[12] Id at 822. 
[13] See CPNI Order at 20,327-20,338.
[14] See 15 U.S.C. §§6801-6810 (1999). 
[15] Id. §6802(b)(1)(A).
[16] See Robert O'Harrow Jr., "Getting a Handle on Privacy's Fine Print: Financial Firms' Policy Notices Aren't Always 'Clear and Conspicuous,' as Law Requires," Washington Post, June 17, 2001, at H01.
[17] Mark Hochhauser, Ph.D, "Lost in the Fine Print: Readability of Financial Privacy Notices," http://www.privacyrights.org/ar/GLB-Reading.htm, (2001) (last accessed November 14, 2001). 
[18] See Harrow, supra note 16. 
[19] See Jeff Sovern, "Opting in, Opting Out, or No Options at All,: The Fight For Control of Personal Information," 74 Wash. L. Rev. 1033, 1099 (1999). 
[20] Comments of Sprint Corporation, In the matter of Implementation of the Telecommunications Act of 1996, Telecommunications Carriers' Use of Customer Proprietary Network Information  and Other Customer Information; Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended, CC Docket No. 96-115, CC Docket No. 96-149, Nov. 01, 2001.
[21] See Harrow, supra note 16.
[22] Interagency Public Workshop, "Get Noticed: Effective Financial Privacy Notices," http://www.ftc.gov/bcp/workshops/glb/ (last accessed Nov. 15, 2001); see also Press Release, "Workshop Planned to Discuss Strategies for Providing Effective Financial Privacy Notices," http://www.ftc.gov/opa/2001/09/glbwkshop.htm, Sept. 24, 2001 (last accessed Nov. 15, 2001). 
[23] See Joint Notice Announcing Public Workshop and Requesting Public Comment, "Public Workshop on Financial Privacy Notices," at 3.
[24] See Telecommunications Act of 1996 § 702(c)(1), 47 U.S.C. § 222(c)(1) (Supp. III 1997).
[25] See, e.g., Comments of SBC Communications, Inc., In the Matter of Implementation of the Telecommunications Act of 1996, Telecommunications Carriers' Use of Customer Proprietary Network Information  and Other Customer Information; Implementation of the Non-Accounting Safeguards of Sections 271 and 272 of the Communications Act of 1934, As Amended, CC Docket No. 96-115, CC Docket No. 96-149, Nov. 01, 2001, at 9 ("[Mandatory opt-in approval] is premised on the faulty view that inaction by a customer cannot be taken as a manifestation of customer intent.  There is no demonstrated basis for that view").
[26] See Sovern, supra note 14, at1105 ("Normally, silence in commercial settings does not operate as acceptance of an offer. … We do not allow sellers to impose contracts on buyers through negative options, yet we allow sellers to use consumers' personal information as they please without having to give notice."
[27] Black's Law Dictionary defines "approve" as "to give formal sanction to; to confirm authoritatively."  Black's Law Dictionary 98 (7th ed. 1999).  Webster's defines "approval" as " formal consent or sanction," while sanction is defined as "to grant permission."  Webster's New World Dictionary 68, 302 (2nd College Ed. 1984).  Commercial contracts require the party to the contract to give affirmative approval before the contract is considered valid.  F2 Richard A. Lord, A Treatise on the Law of Contracts 6:3, 6:49, at 17-18, 561 (14th ed. 1991). 
[28] See e.g., Comments of AT&T Corp., supra note 4, at i. 
[29] See Sovern, supra note 14, at 1082-83. 
[30] See id. at 1099-1100. 
[31] See id.
[32] See Sovern, supra note 14, at 1101-02. 
[33] See id. at 1103.
[34] Mark E. Budnitz, "Privacy Protection for Consumer Transactions in Electronic Commerce: Why Self-Regulation is Inadequate," 49 S.C. L. Rev. 847 (1998).
[35] Paul M. Schwartz, "Charting a Privacy Research Agenda: Responses, Agreements, and Reflections," 32 Conn. L. Rev. 929, 936 (2000)
[36] Julie E. Cohen, "Examined Lives: Informational Privacy and the Subject as Object," 52 Stan. L. Rev. 1373, 1414 (May 2000).
[37] Daniel J. Solove, "Privacy and Power: Computer Databases and Metaphors for Information Privacy," 53 Stan. L. Rev. 1393 (July 2001).
[38] Id. (emphasis added).