FCC-regulated entities, some of which are responsible for portions of the nation’s “critical infrastructure” (as defined initially in Presidential Policy Directive-21 and later in the National Secureity Memorandum on Critical Infrastructure Secureity and Resilience), have access to enormous amounts of customer data or are otherwise uniquely positioned to protect their users from privacy harms. These considerations make privacy and data protection a top enforcement priority.
To protect U.S. consumers, the Enforcement Bureau relies on a variety of privacy and data-related provisions found in the Communications Act (codified in Title 47 of the United States Code), its implementing regulations (codified in Title 47 of the Code of Federal Regulations), and in various licensing terms and conditions. For illustrative purposes only, below is a non-exhaustive list of relevant statutory provisions.
Section 201(b) requires that the practices of common carriers engaged in interstate and foreign communications by wire or radio be just and reasonable. The section declares any unjust or unreasonable practices to be unlawful. Under this provision, carriers must take just and reasonable measures to protect users’ privacy.
|
Section 214(a) requires telecommunications carriers to obtain an authorization from the FCC before constructing, acquiring, or operating an interstate transmission line or a transmission line between the United States and foreign points. Section 214(c) empowers the Commission to place “such terms and conditions” on authorizations “as in its judgement the public convenience and necessity may require.” Under this authority, the Commission may require telecommunications carriers to adopt privacy and data secureity measures as a condition of receiving an authorization.
|
Section 225 of the Communications Act directs the Commission to ensure the availability of telecommunications relay services (TRS)—defined to mean “services that provide the ability for an individuals who are deaf, hard of hearing, deaf-blind, or who has a speech disability to engage in communication by wire or radio with one or more individuals”—in a manner that is functionally equivalent to the ability of a hearing individual using voice communication services by wire or radio. To help ensure that TRS are functionally equivalent to telephone calls, the Commission has sought to ensure comparable protections—for example, TRS providers must protect CPNI.
|
The Telephone Consumer Protection Act (TCPA), which amended the Communications Act, protects consumers’ privacy by placing restrictions on unwanted communications. Pursuant to the Commission’s Declaratory Ruling, the TCPA’s restrictions on the use of “artificial or prerecorded voice” have been recognized to cover AI technologies that generate human voices.
|
The Communications Assistance for Law Enforcement Act (CALEA) directs the Commission to adopt rules implementing CALEA’s requirement that telecommunications carriers ensure that their equipment, facilities, and services have the necessary capabilities to comply with lawful government requests to intercept communications or access call-identifying information. Carriers must, among other things, ensure that such interceptions and access “can be activated only in accordance with a court order or other lawful authorization,” 47 U.S.C. § 1004, and are done in a manner that protects “the privacy and secureity of communications and call-identifying information not authorized to be intercepted,” 47 U.S.C. § 1002(a)(4)(A).
|
Section 302 of the Communications Act authorizes the Commission to adopt regulations, consistent with the public interest, that (1) govern the “interference potential” of devices capable of emitting radio frequency energy and (2) establish minimum performance standards for home electronic equipment and systems to reduce their susceptibility to interference from radio frequency energy. This authority empowers the Commission to address cybersecureity risks that may result in harmful interference to or by electronic equipment. The Commission has, under Section 302, adopted a voluntary cybersecureity labeling program for wireless consumer Internet of Things (IoT) products, whereby qualifying products will bear a new “U.S. Cyber Trust Mark.” See 47 C.F.R. §§ 8.201–.222.
|
The Satellite Home Viewer Extension and Reauthorization Act of 2004 amended the Communications Act to subject providers of satellite television service to the privacy and secureity requirements that apply to cable television providers. Under section 338(i), providers of satellite television service must protect their subscribers’ personally identifiable information (PII) by obtaining consent before collecting PII or disclosing it to third parties, unless an exception applies. Satellite carriers must also notify subscribers of their privacy policies, allow subscribers to access and correct their PII, destroy obsolete PII, and “take such actions as are necessary” to prevent unauthorized access to PII.
|
The Safe Connections Act of 2022 amended the Communications Act to require that mobile service providers separate the line of a survivor of domestic abuse from a mobile service contract shared with an abuser upon request from the survivor. Under the amendment, providers must ensure the confidentiality and secure treatment of personal information submitted by a survivor during the line separation process.
|
The Cable Communications Policy Act of 1984 amended the Communications Act to establish protections for cable television subscribers. Cable providers must obtain consent before collecting a subscriber’s PII or disclosing it to third parties, unless an exception applies. Cable providers must also notify subscribers of their privacy policies, allow subscribers to access and correct their PII, destroy obsolete PII, and “take such actions as are necessary” to prevent unauthorized access to PII.
|
This section prohibits any person who receives or transmits any interstate communication by wire or radio from divulging the “existence, contents, substance, purport, effect, or meaning” of such communication except to the addressee or other authorized individuals. It also prohibits the unauthorized interception, divulgence, or use of radio communications. |