On Petition for Review of an Order of the Federal Communications Commission.
The opinion of the court was delivered by: Randolph, Circuit Judge
Argued September 10, 2008
Before: RANDOLPH, ROGERS and TATEL, Circuit Judges.
Whenever someone makes a call on a telephone or a cell phone, that person's telecommunications carrier receives information about who was called, when, and for how long. Carriers also have records about the kinds of services and features their customers purchase. More than twenty years ago, the Federal Communications Commission required carriers to maintain the confidentiality of such information if their customers so requested. In re Furnishing of Customer Premises Equipment and Enhanced Services by American Telephone & Telegraph Co., 102 F.C.C.2d 655, ¶¶ 64--67 (1985). The Telecommunications Act of 1996 also imposed on carriers a "duty to protect the confidentiality of proprietary information of . . . consumers." 47 U.S.C. § 222(a). Although § 222 permitted carriers to use customer information within the confines of the existing service relationship, it prohibited carriers from otherwise using, disclosing or allowing access to such information except "as required by law" or "with the approval of the customer." Id. § 222(c)(1). The issues presented in this petition for judicial review deal with the validity of the Commission's latest order specifying how carriers are to obtain their customers' approval.
Under the 1996 Act, "customer proprietary network information" consists of information relating to the "quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier." 47 U.S.C. § 222(h)(1). This statutory definition of what we will refer to as "customer information" encompasses customers' particular calling plans and special features, the pricing and terms of their contracts for those services, and details about who they call and when. Some carriers may use this information to market specific services or upgrades to their customers, tailored to individual usage patterns. Other carriers, especially smaller ones and new market entrants, may find it more efficient to enter into agreements with joint venturers or independent contractors to conduct such targeted marketing.
In its 1998 Order implementing the confidentiality mandate of the 1996 Act, the Commission interpreted § 222 as setting out two categories of uses of customer information: those uses to which customers implicitly consent simply by subscribing to a carrier's services, and those for which the carrier would have to obtain express customer approval. Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, 13 F.C.C.R. 8061, ¶ 23 (1998) ("1998 Order"). To delineate the bounds of implicit customer approval, the Commission adopted the "total service approach," which turned on a distinction between three traditional categories of telecommunications services: local telephone service, interexchange (primarily long distance calling service), and commercial mobile radio services (primarily mobile or cellular phone service). Id. ¶¶ 24, 27; see also 47 C.F.R. § 64.2005(a). The 1998 Order provided that carriers could infer customer approval within the confines of existing service in one or more of the categories above. 1998 Order ¶ 25. Implicit approval also extended to customer information sharing with carriers' affiliates who provide one of the other service types within the existing service relationship between the customer and the carrier. Id. ¶ 51. But if carriers wished to use or disclose customer information outside of the existing relationship, even in communications with their customers, the Commission determined that customers had to consent, affirmatively and explicitly, ahead of time. Id. ¶ 87. This approach became known as the "opt-in" method.
In U.S. West, Inc. v. FCC, 182 F.3d 1224 (10th Cir. 1999), the court of appeals held that the 1998 Order's opt-in consent requirement amounted to an unconstitutional restriction on the carriers' First Amendment right to speak to their customers. Id. at 1240. Relying on Central Hudson Gas & Electric Corp. v. Public Service Commission of New York, 447 U.S. 557 (1980), the court ruled that the Commission had not satisfied "its burden of showing that the customer approval regulations restrict no more speech than necessary to serve the asserted state interests." U.S. West, 182 F.3d at 1239. The court cited a lack of evidence that "customers do not want carriers to use their" information; even if there were such evidence, the court thought the Commission had failed to show "that an opt-out strategy would not sufficiently protect consumer privacy." Id.
In response to the Tenth Circuit's decision, the Commission initiated a new rulemaking proceeding and issued an order modifying its regulations. See Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, 17 F.C.C.R. 14860 (2002) ("2002 Order"). The Commission stated that "in light of U.S. West we now conclude that an opt-in rule for intra-company use [between a carrier and its affiliates] cannot be justified based on the record we have before us." Id. ¶ 31. The Commission took into account customers' interest in learning of their carriers' service offerings and what it perceived as a lower risk of infringement of personal privacy when customer information is shared within an organization. The Commission therefore required only optout approval for the sharing of customer information between a carrier and its affiliates for communications-related purposes. Id. ¶¶ 33S40. The Commission prescribed the content, form, and frequency of the notice and opt-out process, pursuant to which the approval of customers would be presumed unless they specifically told their carriers not to share the information. Id.
The 2002 Order also allowed carriers to share customer information with joint venture partners or independent contractors for marketing communications-related services. 2002 Order ¶¶ 47S49. But the Commission recognized a heightened personal privacy risk associated with these third parties because they did not qualify as "carriers" under the Telecommunications Act and thus were not subject to § 222's confidentiality requirements. Id. ¶ 46. The Commission therefore ordered carriers and their joint venture partners or independent contractors to enter into confidentiality agreements to safeguard customer information, in addition to the opt-out notices sent to customers. Id. ¶ 47. Carriers were apparently content with this state of affairs; no challenges were mounted against the 2002 Order.
The Electronic Privacy Information Center petitioned in 2005 for further rulemaking to modify the Commission's customer information sharing rules. The petition noted the increasing number of "data brokers" -- organizations that sell private information about individuals online -- and expressed concern about how easily these organizations are able to obtain the information from carriers and other entities. Pet. for Rulemaking at 5S8. The petition suggested that data brokers might obtain the information from customer service representatives by pretending to have proper authority to receive it (known as "pretexting"), by gaining unauthorized access to consumers' online accounts with carriers (by hacking, for example), or through "dishonest insiders" working for the carriers. Id. at 1. Concerned that inadequate privacy protections contributed to the data broker problem, the Commission initiated a new rulemaking proceeding, received comments, and issued the Order at issue in this case. See Implementation of the Telecommunications Act of 1996: Telecommunications Carriers' Use of Customer Proprietary Network Information and Other Customer Information, 22 F.C.C.R. 6927 (2007) ("2007 Order").
Two months before the Commission adopted the 2007 Order, Congress passed the Telephone Records and Privacy Protection Act of 2006, Pub. L. No. 109-476, 120 Stat. 3568 (codified at 18 U.S.C. § 1039). The statute imposed criminal penalties for pretexting, 18 U.S.C. § 1039(a)(1)S(3); unauthorized access to consumer accounts online, id. § 1039(a)(4); selling or transferring customer information, presumably by either data brokers or dishonest company insiders, id. § 1039(b); and knowing purchase or receipt of fraudulently obtained customer information, id. § 1039(c). Congress found that unauthorized disclosure of customer information "not only assaults individual privacy but, in some instances, may further acts of domestic violence or stalking, compromise the personal safety of law enforcement officers, their families, victims of crime, witnesses, or confidential informants, and undermine the integrity of law enforcement investigations." Telephone Records and Privacy Protection Act § 2(5).
In its 2007 Order the Commission changed, for the third time, its requirements for the form of customer approval necessary to satisfy 47 U.S.C. § 222. Relying on "new circumstances" to justify its altered approach, the Commission now required carriers to "obtain opt-in consent from a customer before disclosing that customer's [information] to a carrier's joint venture partner or independent contractor for the purpose of marketing communications-related services to that customer." 2007 Order ¶ 37. The Commission distinguished joint venture partners and independent contractors from affiliates for two reasons. First, it determined that information shared with third-party marketers is subject to a greater risk of loss once out of the carrier's actual control; and second, it determined that those third parties would not likely be subject to the confidentiality requirements of § 222 because they are not themselves carriers. Id. ¶ 39. It would not sufficiently protect consumer privacy, the Commission found, for carriers simply to terminate their relationships with third parties who lose customer information, or for the Commission to rely on enforcement proceedings in the case of unauthorized disclosure: at that point, the damage has already been done. Id. ¶ 42. The Commission also found, based on studies brought to its attention during the rulemaking process, that ...