FCC 96-221 Before the Federal Communications Commission Washington, DC 20554 In the Matter of ) ) Implementation of the ) CC Docket No. 96-115 Telecommunications Act of 1996: ) ) Telecommunications Carriers' Use ) of Customer Proprietary Network ) Information and Other ) Customer Information ) NOTICE OF PROPOSED RULEMAKING Adopted: May 16, 1996 Released: May 17, 1996 Comment Date: June 11, 1996 Reply Comment Date: June 26, 1996 By the Commission: I. INTRODUCTION 1. On February 14, 1996, several local exchange carrier associations (the Associations) informed the Common Carrier Bureau (Bureau) that their members were uncertain about their responsibilities under the Telecommunications Act of 1996 regarding use and protection of customer proprietary network information (CPNI), and requested that the Commission conduct a rulemaking to implement the provisions of the 1996 Act. On March 5, 1996, the NYNEX Telephone Companies (NYNEX) filed a petition for declaratory ruling regarding the proper interpretation of one aspect of Section 222. On March 27, 1996, U S West, Inc. (U S West) responded to the NYNEX Petition by letter to the Bureau Chief. In response to these and other informal requests for guidance from the telecommunications industry, we initiate this proceeding to seek comment on proposed regulations to specify in more detail and clarify the obligations of telecommunications carriers with respect to the use and protection of CPNI and other customer information. We invite parties who wish to respond to any of the above-referenced industry filings to do so by submitting comments in this proceeding. 2. Section 702 of the 1996 Act added a new Section 222 to the Communications Act of 1934, as amended, which sets forth, among other things, restrictions on the use of CPNI obtained by telecommunications carriers in providing telecommunications service to customers as well as certain requirements related to the availability of subscriber list information. In addition, the 1996 Act establishes a new Section 275(d) that prohibits local exchange carriers (LECs) from using information obtained from calls made to alarm monitoring service providers to market their own alarm monitoring services, or those provided by any other entity, and requires the Commission to adopt implementing regulations within six months. Although the requirements of Section 222 were immediately effective, we tentatively conclude that regulations that interpret and specify in more detail a telecommunications carrier's obligations under subsections 222(c)-(f) of the 1996 Act would be in the public interest. In this Notice of Proposed Rulemaking (NPRM), we propose a regulatory regime that balances consumer privacy and competitive considerations to ensure that telecommunications carriers comply with their new statutory obligations to maintain the privacy of CPNI and other customer information. 3. In addition, we clarify that the CPNI requirements the Commission previously established as nonstructural safeguards in the Computer II and Computer III proceedings for the provision of enhanced services and customer premises equipment (CPE) by American Telephone and Telegraph (AT&T), the Bell Operating Companies (BOCs), and GTE Corporation (GTE) remain in effect, pending the outcome of the rulemaking, to the extent that they do not conflict with Section 222, since nothing in the 1996 Act affects these requirements. To the extent that the 1996 Act requires more of a carrier, or imposes greater restrictions on a carrier's use of CPNI, the statute, of course, governs. We seek comment on whether there are statutory, competitive, or privacy reasons that justify the continued application of these pre- existing rules (which are discussed in greater detail below) to the BOCs, and GTE. With respect to AT&T, we tentatively conclude that these requirements should be removed in light of our recent decisions classifying AT&T as a non-dominant carrier, and the pending AT&T reorganization separating its equipment business from its telecommunications service business. We also seek comment regarding the extent to which these pre-existing rules should or must be amended in light of the language or pro- competitive, deregulatory goals of the new statute. We tentatively conclude that it is not in the public interest, at this time, to extend all of these pre-existing CPNI rules to carriers that are not affiliated with AT&T, the BOCs, or GTE, and seek comment on that conclusion. To the extent that we conclude that we should apply more restrictive CPNI access requirements to certain groups of carriers, such as the BOCs, we seek comment on the specific market conditions or other circumstances that would warrant removal of those requirements in the future. II. BACKGROUND A. Commission CPNI Requirements Established Prior to Enactment of the Telecommunications Act of 1996 4. Prior to enactment of the 1996 Act, in the context of the Computer II and Computer III proceedings, the Commission established requirements applicable to the use of CPNI for the marketing of enhanced services and CPE by AT&T, the BOCs, and GTE. The Commission determined that such requirements were necessary to protect independent enhanced service providers (ESPs) and CPE suppliers from discrimination by AT&T, the BOCs, and GTE. In the absence of these safeguards, the affected carriers could use CPNI obtained from their provision of regulated services to gain an anticompetitive advantage in the unregulated CPE and enhanced services markets. Further, the Commission found that these CPNI requirements were in the public interest because they were intended to protect legitimate customer expectations of confidentiality regarding individually identifiable information. The Commission defined CPNI to encompass any information about customers' network services and their use of those services that a telephone company possessed because it provided those network services. 5. Under the Commission's Computer III rules, the BOCs have been required to abide by a request from any customer that its CPNI be withheld from the BOCs' enhanced services and CPE marketing personnel. If, however, the customer has not requested CPNI protection, the CPNI rules vary depending on: (1) whether the information is disclosed to the BOC's CPE or ESP affiliate; (2) the number of lines to which a customer subscribes; and (3) whether the subscriber is a residential or business customer. For example, BOC personnel have been able to use CPNI without prior authorization for marketing CPE to all customers. With respect to marketing enhanced services, written prior authorization has been required from customers that subscribe to more than 20 lines. BOC personnel could use the CPNI of customers that subscribe to 20 or fewer lines, however, without prior authorization. Unaffiliated ESPs by contrast have been required to obtain prior customer authorization to obtain access to CPNI maintained by the BOCs. The Commission's rules also imposed on BOCs a notification obligation which required BOCs to provide annual written notification of CPNI rights to multiline (2 or more lines) business customers. In previous orders, the Commission has required the BOCs to implement various computerized systems to protect against unauthorized access by their enhanced services and CPE personnel to restricted CPNI. In addition, the BOCs have been required to accommodate customer requests for partial or temporary restrictions on access to their CPNI. The Commission applied these requirements to GTE in its provision of enhanced services, but not CPE, while declining to apply these requirements to other independent telephone companies. 6. Although AT&T is subject to CPNI restrictions under Computer III, the AT&T requirements generally are less stringent than those applicable to the BOCs. For example, AT&T is not required to obtain prior authorization from a customer with more than 20 lines before using its CPNI to market enhanced services. Similarly, while the BOCs must notify multiline customers annually of their right to restrict disclosure of CPNI to BOC CPE affiliates, AT&T must only provide such notification in a one-time billing insert. AT&T, however, must maintain password/ID systems and other mechanisms to restrict unauthorized access to CPNI. 7. On March 10, 1994, the Bureau issued a Public Notice inviting comments on these CPNI rules in light of the increasing alliances, acquisitions, and mergers by and between telephone and non-telephone companies. In recognition of these changes, the Bureau sought comment from the public on whether the existing CPNI safeguards would continue in the future to strike the appropriate balance among customers' privacy interests, competitive equity, and efficiency. B. New Sections 222(c) and (d): CPNI Privacy Provisions of the Telecommunications Act of 1996 8. In new Sections 222(c) and (d), the 1996 Act established requirements for maintaining the confidentiality of CPNI that became effective immediately upon enactment for all telecommunications carriers. New Section 222(f)(1) defines CPNI as "information that relates to the quantity, technical configuration, type, destination, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship." The statute explicitly includes within the definition of CPNI "information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier." 9. New Section 222(c)(1) provides that: Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains [CPNI] by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable [CPNI] in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories. Section 222 further provides that "[a] telecommunications carrier shall disclose [CPNI], upon affirmative written request by the customer, to any person designated by the customer." 10. The 1996 Act establishes three exceptions to the general prohibition set forth in Section 222(c)(1). A telecommunications carrier, either directly or indirectly through its agents, may use, disclose, or permit access to individually identifiable CPNI: "(1) to initiate, render, bill, and collect for telecommunications services; (2) to protect the carrier's rights or property of the carrier, or to protect users of those services and other carriers from fraudulent, abusive, or unlawful use of, or subscription to, such services; or (3) to provide any inbound telemarketing, referral, or administrative services to the customer for the duration of the call, if such call was initiated by the customer and the customer approves of the use of such information to provide such service." 11. The 1996 Act also establishes separate requirements for the treatment of "Aggregate Customer Information." A telecommunications carrier, other than a LEC, may use, disclose, or permit access to aggregate customer information for purposes other than those specified by Section 222(c)(1). LECs may use aggregate CPNI for purposes other than those specified by Section 222(c)(1) only if, upon reasonable request, they provide such aggregate customer information to other carriers or persons on reasonable and nondiscriminatory terms and conditions. C. New Section 222(e): Availability of Subscriber List Information 12. New Section 222(e) states that, notwithstanding Sections 222(b), (c), and (d), a telecommunications carrier that provides telephone exchange service must provide "subscriber list information gathered in its capacity as a provider of such service on a timely and unbundled basis, under nondiscriminatory and reasonable rates, terms, and conditions, to any person upon request for the purpose of publishing directories in any format." "Subscriber list information" is defined as "any information identifying the listed names of subscribers of a carrier and such subscribers' telephone numbers, addresses, or primary advertising classifications . . . that the carrier or an affiliate has published . . . or accepted for publication in any directory format." As with new Sections 222(c) and (d), new Section 222(e) also became effective immediately upon enactment. D. New Section 275(d): Use of Data Regarding Alarm Monitoring Services 13. With respect to the provision of alarm monitoring services, the 1996 Act states that a LEC "may not record or use in any fashion the occurrence or contents of calls received by providers of alarm monitoring services for the purposes of marketing such services on behalf of such [LEC], or any other entity." The new statute further requires the Commission to establish, within six months after the enactment of the 1996 Act, any regulations necessary to enforce the provisions concerning LEC use of alarm monitoring service call information. III. DISCUSSION 14. As noted above, shortly after passage of the 1996 Act, representatives of several telecommunications carriers and carrier associations contacted the Bureau with questions regarding the scope and substance of their obligations under the Section 222 CPNI provisions that became effective immediately upon enactment. The Bureau also received a letter, submitted on behalf of associations representing a majority of the LECs, that, inter alia, asked the Commission to commence a rulemaking to resolve questions concerning the LECs' responsibilities under the CPNI provisions of the 1996 Act. In addition, NYNEX filed a petition for declaratory ruling seeking confirmation of its interpretation of one aspect of Section 222 and U S West responded by letter to that petition. 15. In view of these concerns expressed by the industry, as well as our own analysis of the 1996 Act, we tentatively conclude that regulations that interpret and specify in more detail a telecommunications carrier's obligations under Section 222 would be in the public interest. We seek comments on this tentative conclusion and on the specific requirements we propose to adopt. Based on our reading of the 1996 Act and its legislative history, we believe that Congress sought to address both privacy and competitive concerns by enacting Section 222. In their comments, we ask parties to explain specifically whether their arguments in support of, or in opposition to, the adoption of particular CPNI requirements are based on privacy concerns, competitive concerns, or both. In this proceeding, we seek to establish promptly the regulatory framework for carrier compliance with the CPNI requirements contained in Section 222. We also clarify the applicability of our existing Computer III CPNI rules to AT&T, the BOCs, and GTE, and seek comment on whether these pre-existing rules should continue to apply. In addition, we seek comment on the carrier requirements in Section 222(e) for making subscriber list information available to others upon request for the purpose of publishing directories. Finally, we seek comment on what procedures LECs should develop to comply with their Section 275(d) obligations. A. Scope of the Commission's Authority 16. Section 2(b) of the 1934 Act preserves state jurisdiction over "charges, classifications, practices, services, facilities, or regulations for or in connection with intrastate communications service by wire or radio of any carrier . . . ." Under Louisiana PSC, the Commission has authority to preempt state regulation of intrastate telecommunications services where such state regulation would thwart or impede the Commission's exercise of its lawful authority over interstate telecommunications services because regulation of the interstate aspects cannot be severed from regulation of the intrastate aspects. We note that, in connection with the CPNI rules we established prior to the enactment of the 1996 Act, we preempted state CPNI rules that required prior authorization inconsistent with our own rules, determining that such state rules would effectively negate federal policies promoting both carrier efficiency and consumer benefits. The U.S. Court of Appeals for the Ninth Circuit upheld this exercise of our preemption authority. We note that our preexisting CPNI rules were established pursuant to the Commission's general regulatory authority under the Communications Act of 1934. The 1996 Act establishes a specific statutory scheme governing access to and protection of CPNI in a way that "balance[s] both competitive and consumer privacy interests with respect to CPNI." 17. We seek comment on the extent to which Section 222 permits states to impose additional CPNI requirements. We further seek comment regarding what aspects of state regulation of CPNI or other customer information would enhance or impede the federal purpose. We are particularly interested in receiving comment on state regulation regarding: 1) whether written or oral authorization is allowed, and 2) the appropriate interpretation of the term "telecommunications service," and whether such state regulation would enhance or impede valid federal interests with respect to CPNI and other customer information. 18. In addition, we seek comment regarding whether the CPNI provisions of Section 222 and the data safeguards provision of Section 275(d) may by themselves give the Commission jurisdiction over both the interstate and intrastate use and protection of CPNI and other customer information with respect to matters falling within the scope of those sections. 19. In addition, we seek comment regarding the scope of the Commission's authority with respect to the subscriber list information provision set out in Section 222(e), which applies to information gathered in the provision of "telephone exchange service." Because Section 222(e) applies to "telephone exchange service," we further seek comment regarding the respective federal and state roles in ensuring that subscriber list information is made available "under nondiscriminatory and reasonable rates, terms, and conditions." B. Procedures for All Telecommunications Carriers: Sections 222(c) and (d) i. CPNI Use Prohibition 20. Absent prior customer authorization, Section 222(c)(1) authorizes a telecommunications carrier to use individually identifiable CPNI obtained from the provision of a particular telecommunications service solely to provide "the telecommunications service from which such information is derived," or services necessary to provide that telecommunications service. Neither Section 222 nor the definition of the terms "telecommunications" and "telecommunications service" set forth in the 1996 Act provide explicit guidance as to the scope of the term "a telecommunications service," as used in Section 222. Moreover, the Joint Explanatory Statement in the Conference Report is silent on this issue. Some might contend that Congress intended to define the term "telecommunications service" broadly to include all services that the Commission has classified as "basic" services. Under this interpretation, providers of telecommunications services could use, without prior customer authorization, CPNI obtained from any such service to market any other telecommunications service. We believe, however, that a close reading of Section 222 does not support this interpretation. 21. Section 222(c)(1), by its terms, bars a telecommunications carrier from using CPNI obtained from the provision of "a telecommunications service" for any purpose other than to provide "the telecommunications service" from which the CPNI is obtained or services necessary to provide "such telecommunications service." The use of the singular in this section suggests that Congress recognized that telecommunications carriers provide a variety of telecommunications services and intended, absent prior customer approval, to prohibit a carrier from using CPNI obtained from the provision of one service for marketing or other purposes in connection with the provision of another service. This statutory interpretation is reinforced by other provisions of Section 222. Section 222(a) refers to "telecommunications services" and Section 222(b) refers to "any telecommunications service." These references support our reading that Congress contemplated that a single carrier provides different telecommunications services. 22. We tentatively conclude that it would be reasonable to interpret Section 222 as distinguishing among telecommunications services based on traditional service distinctions. Under this approach, we tentatively conclude that we should treat the following as distinct "telecommunications services": local (including short-haul toll); interexchange (including interstate, intrastate, and international long distance offerings, as well as short-haul toll); and commercial mobile radio services (CMRS). We tentatively conclude that short-haul toll should be treated as both a local telecommunications service, when provided by a LEC, as well as an interexchange telecommunications service, when provided by an interexchange carrier (IXC), because under traditional service distinctions both LECs and IXCs currently market and provide short-haul toll service as part of an integrated package with local and interexchange services, respectively. We seek comment on these proposed distinctions and on other possible service distinctions. We further seek comment on how changes in telecommunications technology and regulation that allow carriers to provide more than one traditionally distinct service (e.g., LECs and IXCs may begin providing each others' services) may impact how carriers would implement the requirements of Section 222 to restrict use of CPNI from one telecommunications service to another. 23. CPNI obtained from providing any one of the discrete services listed above may not be used for any purpose, including marketing, involving any of the other services, unless the telecommunications carrier obtained prior customer authorization or one of the exceptions established by Sections 222(c) and (d) applies. We recognize that in the rapidly evolving market for telecommunications services, the distinctions we propose here may become outdated. Thus, we invite parties to suggest other distinctions among telecommunications services that in their view are mandated, envisioned, or logically consistent with the statute for CPNI protection. We request that parties who do so comment specifically on the costs and benefits of the schemes they propose, as well as the impact that such schemes will have on both competitive and consumer privacy interests. We also seek comment on whether and when technological and market developments may require us to revisit the issue of telecommunications service distinctions. 24. Our interpretation also enhances customer privacy by giving customers greater control over CPNI use; CPNI derived from one telecommunications service cannot be used to provide other services or products without prior customer knowledge. We believe that our interpretation of the term "telecommunications service" also addresses competitive considerations. Our reading of the 1996 Act prohibits carriers that are established providers of certain telecommunications services from gaining an advantage by using CPNI to facilitate their entry into new telecommunications services without obtaining prior customer authorization. 25. We seek comment on our tentative conclusions concerning the scope of the term "telecommunications service," especially regarding the costs and benefits associated with our interpretation. We also seek comment on the effect on customer privacy of precluding the use of CPNI among telecommunications service categories. We further seek comment regarding how our proposed interpretation of the term "telecommunications service" would affect competition both in the provision of telecommunications services, and the provision of other adjacent services and products, such as information services and CPE. 26. The CPNI prohibition restricts unauthorized use of CPNI for any purpose other than those specified in Section 222(c)(1) and the exceptions listed in Section 222(d). For example, CPNI obtained from the provision of any telecommunications service may not be used to market information services or CPE without prior customer authorization. Section 222(d)(1) enables carriers to use, disclose, or permit access to CPNI "to initiate, render, bill, and collect for telecommunications services." We seek comment on whether this exception permits carriers, without prior authorization, to use a customer's CPNI derived from the provision of one telecommunications service to perform installation, maintenance, and repair for any telecommunications service to which that customer subscribes. We also seek comment on whether, in the alternative, installation, maintenance, and repair would qualify as "services necessary to, or used in, the provision of such telecommunications service," under Section 222(c)(1)(B). We also seek comment on what other services might be "necessary to, or used in the provision of, such telecommunications service" under Section 222(c)(1)(B). ii. Customer Notification of CPNI Rights/Prior Authorization 27. Section 222(c)(1) authorizes a carrier that obtains CPNI by providing a telecommunications service to use that CPNI for purposes unrelated to the service from which it is obtained if the customer approves. The statute, however, does not specify the procedures that a carrier must use to obtain customer approval, nor whether approval must be written or oral. We seek comment on what methods carriers may use to obtain customer authorization for use of CPNI in compliance with the statute. a. Notification Requirements 28. We tentatively conclude that, in order to ensure full compliance with the prior authorization requirement specified by Section 222(c)(1), we should require a telecommunications carrier seeking approval for CPNI use from its customers to notify those customers of their rights to restrict access to their CPNI. We tentatively conclude that customers must know that they can restrict access to the CPNI obtained from their use of a telecommunications service before they waive that right, in order to be considered to have given approval. We seek comment on whether we should allow such notification to be given orally and simultaneously with a carrier's attempt to seek approval for CPNI use, or whether we should instead require an advance written notification. We further seek comment on what is the least burdensome method of notification that would meet the objectives of the 1996 Act. We note that under the Computer III CPNI rules, we require AT&T, the BOCs, and GTE to provide to multiline business customers written notification of their CPNI rights, along with election forms to restrict or authorize CPNI access. We seek comment on whether we need to specify the information that should be included in the customer notification, and, if so, the disclosure requirements that we should adopt. b. Authorization Requirements 29. Carriers may choose to obtain written authorization from customers to use their CPNI for purposes unrelated to the provision of the service from which it was obtained. This authorization could take the form of a letter or a billing insert sent to the customer that contains a summary of the customer's CPNI rights and is accompanied by a postcard which the customer could sign and return to the carrier to authorize CPNI use. Written authorization provides greater protection to both customers and the carrier than oral authorization, in that the former advises customers in writing of their CPNI rights and provides the carrier with evidence that it has obtained customer approval. From a consumer protection standpoint, written notification, which is more specific and verifiable than oral notification, may be preferable. 30. We seek comment on whether Section 222(c)(1) allows carriers to choose to use outbound telemarketing programs to obtain oral "approval" from customers for use of their CPNI. We note that Section 222(c)(1) mandates that carriers obtain "the approval of the customer" in order to obtain access to the customer's CPNI, without indicating whether the approval has to be written or oral. There are two related provisions of the statute which give rise to conflicting inferences on this point. On the one hand, Section 222(c)(2) requires carriers to disclose CPNI to any person designated by a customer "upon affirmative written request by the customer," which suggests that Section 222(c)(1) allows oral approval, because unlike 222(c)(2) it does not specifically require written authorization. 31. On the other hand, Section 222(d)(3) regarding inbound telemarketing provides that a telecommunications carrier may use, disclose, or permit access to CPNI obtained from its customers "to provide any inbound telemarketing, referral, or administrative services for the duration of the call, if such call was initiated by the customer and the customer approves of the use of such information to provide such service." Section 222(d)(3) could be interpreted as suggesting that oral consent cannot be given for a broader purpose or a longer duration. In the alternative, Section 222(d)(3) could also be interpreted as permitting a carrier to use CPNI to provide a customer with information for the duration of an inbound call, even if the customer has otherwise restricted the carrier's use of its CPNI. We seek comment on how Section 222(c)(1) should be interpreted in light of Section 222(c)(2) and Section 222(d)(3). We also seek comment on the privacy and competitive implications of requiring carriers to obtain prior written approval under Section 222(c)(1) in order to obtain access to customer CPNI, as well as on the costs and benefits of requiring written approval. 32. To the extent that oral approval is allowed under 222(c)(1), we propose to require carriers choosing to obtain oral approval to bear the burden of proof associated with such a scheme in the event of a dispute. Specifically, such carriers would be required to demonstrate through credible evidence that they had obtained the required customer authorization prior to granting access to the CPNI for purposes that otherwise would be unlawful. 33. Additionally, we seek comment on whether we should establish requirements regarding: (1) how long a customer's CPNI use authorization should remain valid; (2) how often carriers may contact a customer in order to attempt to obtain CPNI use authorization, whether or not the customer has requested restriction of its CPNI; and (3) whether and to what extent customers may authorize partial access to their CPNI (for example, limited to certain uses or time periods). iii. CPNI Disclosure to Third Parties 34. Section 222(c)(2) requires carriers, when presented with a customer's affirmative written request, to provide that customer's CPNI to any person designated in the written authorization. Section 222(c)(2) imposes a disclosure requirement on carriers to ensure that any party with customer authorization, including unaffiliated third party competitors, can obtain access to individually identifiable CPNI. As such, carriers must provide a customer's CPNI to any party that has obtained an affirmative written authorization from the customer. We seek comment with respect to what additional mechanisms or procedures, if any, we ought to require telecommunications carriers to implement to guard against unauthorized access to CPNI by third parties. iv. Safeguards for Customer-Restricted CPNI Data 35. We tentatively conclude that all telecommunications carriers must establish effective safeguards to protect against unauthorized access to CPNI by their employees or agents, or by unaffiliated third parties. We noted above that we have required AT&T, the BOCs, and GTE to implement computerized safeguards and manual file indicators to prevent unauthorized access to CPNI. We seek comment on whether these requirements should continue to apply to AT&T, the BOCs, and GTE. 36. We tentatively conclude that we should not now specify safeguard requirements for all other telecommunications carriers, but we note that these carriers may wish to adopt some or all of the types of safeguards against unauthorized access to CPNI that we applied to AT&T, the BOCs, and GTE in Computer III, in satisfaction of their obligation to develop effective means to protect restricted CPNI. We seek comment, however, regarding whether we should impose on all telecommunications carriers any of the requirements imposed on AT&T, the BOCs, and GTE, or any other safeguard designed to protect against unauthorized access to restricted CPNI, and will adopt such requirements if the record indicates a need for them. v. Aggregate CPNI 37. The aggregate CPNI provisions of Section 222(c)(3) permit telecommunications carriers, other than LECs, to use aggregate CPNI for purposes other than providing telecommunications services. LECs, however, may use aggregate CPNI for purposes other than providing telecommunications service only if the aggregate CPNI is made available to others on a reasonable and nondiscriminatory basis. In Computer III, we required the subject carriers to notify third parties about the availability of aggregate CPNI used by these carriers by publishing notices in trade publications or newsletters. We seek comment on whether, in addition to the statutory requirements of Section 222, we should also require all LECs to provide similar notification to others regarding the availability of aggregate CPNI, on a reasonable and nondiscriminatory basis prior to using such aggregate CPNI themselves. C. Applicability of Computer III CPNI Requirements 38. We conclude that the 1996 Act does not prohibit the Commission from enforcing CPNI requirements that are not inconsistent with the new statutory provisions, since nothing in the 1996 Act affects these requirements. We recognize that in certain respects our existing Computer III requirements place greater restrictions than the 1996 Act on CPNI access by AT&T, the BOCs, and GTE for the provision of enhanced services and CPE. Under our reading of the new statute, these additional restrictions will continue to apply to those carriers, pending the outcome of this rulemaking. 39. AT&T, the BOCs, and GTE must continue to provide annual written notification to customers about CPNI rights before using this CPNI to market enhanced services. The current retention of this requirement does not supersede the new statutory requirement that all telecommunications carriers, including AT&T, the BOCs, and GTE, obtain prior authorization before using CPNI to engage in any activity other than providing the service from which the CPNI was derived. The BOCs and GTE must also continue to obtain prior written authorization from customers with more than twenty lines before using their CPNI to market enhanced services. With respect to use of CPNI for marketing CPE, AT&T must continue to notify customers in a one-time billing insert before using the CPNI of these customers to market CPE. Similarly, the BOCs must continue to notify multiline customers annually about their CPNI rights before using this CPNI to market CPE. In addition, AT&T, the BOCs, and GTE must maintain any previously approved mechanisms (i.e, computer password systems, filing mechanisms) to restrict unauthorized internal access to CPNI. 40. We do not propose to extend our pre-existing Computer III CPNI requirements, as modified by the 1996 Act, to other telecommunications carriers, because we tentatively conclude that these additional CPNI restrictions are not necessary to secure the public interest objectives of the 1996 Act. The Commission's CPNI rules were established in the context of the Computer III proceeding, in which the Commission adopted various nonstructural safeguards to protect independent ESPs and CPE suppliers from discrimination by AT&T, the BOCs, and GTE. The Commission specifically sought to prohibit these carriers from using CPNI obtained from their provision of basic regulated services to gain an anticompetitive advantage in the unregulated CPE and enhanced services markets. In that proceeding, we determined that, because AT&T, the BOCs, and GTE could gain anticompetitive advantages in this manner, their use of CPNI must be restricted. 41. We, however, recognize that some of the anticompetitive concerns we sought to address through the establishment of our CPNI rules may now be addressed by the new Section 222. In such light, we seek comment on which, if any, of our Computer III CPNI rules may no longer be necessary as a result of new Section 222. For example, we seek comment on the necessity for continuing to require AT&T, the BOCs, and GTE to provide written notification to multiline customers of their CPNI rights. Given that the Computer III CPNI rules are part of a scheme of nonstructural safeguards, parties should address how changing the CPNI rules might influence the effect of other Computer III requirements. Parties should comment on whether there are privacy or competitive reasons for continuing to apply these specific pre- existing requirements to these carriers, as well as on the costs and benefits of maintaining these requirements. We also invite parties to comment on what, if any, modifications to our current CPNI rules should be adopted to further the pro-competitive, deregulatory goals of the 1996 Act, in addition to those discussed in this NPRM. 42. We further seek comment on whether AT&T, the BOCs, and GTE continue to possess a competitive advantage with respect to access to and use of customer CPNI, as well as whether any other entities, such as independent LECs, now possess similar advantages. In particular, it appears that our recent decisions classifying AT&T as a non-dominant carrier, and the pending AT&T reorganization separating its equipment business from its telecommunications service business, may justify removal of Computer III CPNI requirements for AT&T. We tentatively conclude that removal of these requirements is now justified. We further seek comment regarding whether privacy, competitive concerns, or any other considerations, justify special regulatory treatment of AT&T, the BOCs, and GTE. Further, to the extent that commenters believe differential regulatory treatment is justified for certain carriers, we seek comment on whether such differential treatment should be permanent or limited in duration, and, if limited, what sunset provisions should apply. D. Section 222(e): Availability of Subscriber List Information 43. Section 222(e) states that a telecommunications carrier that provides "telephone exchange service" shall provide subscriber list information "gathered in its capacity as a provider of such service on a timely and unbundled basis, under nondiscriminatory and reasonable rates, terms, and conditions, to any person upon request for the purpose of publishing directories in any format." We interpret Section 222(e) to require not only LECs, but also any telecommunications carrier, including an IXC or cable operator, for example, to meet the requirements of this section to the extent such carrier provides telephone exchange service. We seek comment on this interpretation. 44. Subscriber list information is defined in Section 222(f)(3) as any information "identifying the listed names of subscribers of a carrier and such subscribers' telephone numbers, addresses, or primary advertising classifications (as such classifications are assigned at the time of the establishment of such service)" or any combination of such information, that the "carrier or an affiliate has published . . . or accepted for publication in any directory format." We seek comment on what regulations, if any, are necessary to clarify the type and/or categories of information that must be made available under this section. In particular, we seek comment on the meaning of "primary advertising classifications," since the statute does not specify what is meant by this term. We also note that new Section 274(h)(2)(i) of the 1996 Act excepts from the definition of "electronic publishing" the provision of "directory assistance that provides names, addresses, and telephone numbers and does not include advertising." We tentatively conclude that the term "primary advertising classifications" in Section 222(e) is used differently than the term "advertising" in Section 274(h)(2)(i), and that therefore subscriber list information does not fall within the definition of electronic publishing. We seek comment on this tentative conclusion. 45. We also seek comment on what regulations or procedures may be necessary to implement the requirement that subscriber list information be provided "on a timely and unbundled basis, under nondiscriminatory and reasonable rates, terms, and conditions." Commenting parties should state specifically what regulations or procedures, if any, should be required and how Section 222(e) makes them necessary. In particular, commenters should comment on the format in which the information should be provided and how it should be unbundled. 46. We also seek comment on what safeguards may be necessary to ensure that a person seeking subscriber list information is doing so for the specified purpose of "publishing directories in any format." While the Joint Explanatory Statement states that the purpose of Section 222(e) is to guarantee "independent publishers access to subscriber list information" upon request, we seek comment on how and to what extent a telecommunications carrier subject to this section may seek authorization from a person or entity requesting such information. Parties should comment on whether such requests must be in writing or whether they can be made orally. E. Section 275(d): Alarm Monitoring Procedures for LECs 47. Section 275(d) prohibits a LEC from recording or using in any fashion "the occurrence or content of calls received by providers of alarm monitoring services for the purposes of marketing such services on behalf of such [LEC], or any other entity." Thus, Section 275(d) restricts LECs from using the information described in that section for marketing another alarm monitoring service, either their own service or a service offered by another affiliated or unaffiliated entity. We tentatively conclude that a customer's authorization under Section 222(c)(1) will not extend to any records concerning the occurrence of calls received by alarm monitoring service providers. Although call content information is not considered CPNI, we note that, pursuant to Section 275(d), LECs may not use information concerning the "content of calls" received by providers of alarm monitoring services to market such services. We seek comment on what procedures LECs should develop to comply with Section 275(d). IV. CONCLUSION 48. In this notice, we seek comment on rules to ensure compliance by telecommunications carriers with the provisions relating to carrier use of and access to CPNI and other customer information established by the Telecommunications Act of 1996 in new Sections 222(c)-(f) and 275(d), and to secure the privacy and competitive protections mandated by Congress. We invite comment on our interpretation of the requirements imposed by Section 222(c)-(f) and Section 275(d), as well as our tentative conclusions regarding regulations necessary to ensure carrier compliance with these requirements and to more fully effectuate the statutory policies. We also request parties to specify whether their comments on our proposed regulatory requirements address privacy or competitive concerns, and to comment on the appropriate duration of such regulatory requirements. Any party disagreeing with our tentative conclusions should explain with specificity in terms of costs and benefits its position and suggestions for alternative regulatory policies. V. PROCEDURAL ISSUES A. Ex Parte Presentations 49. This is a non-restricted notice-and-comment rulemaking proceeding. Ex parte presentations are permitted, except during the Sunshine Agenda period, provided that they are disclosed as provided in the Commission's rules. See generally 47 C.F.R.  1.1202, 1.1203, 1.1206. B. Initial Regulatory Flexibility Analysis 50. Pursuant to the Regulatory Flexibility Act of 1980, 5 U.S.C.  601-612, the Commission's Initial Regulatory Flexibility Analysis with respect to the NPRM is as follows: 51. Reason for Action: The Commission is issuing this NPRM seeking comment on proposed regulations to ensure telecommunications carriers' compliance with requirements for the use and protection of customer proprietary network information (CPNI) and other customer information set forth in the Telecommunications Act of 1996, Pub. L. 104-104, 110 Stat. 56 (1996). 52. Objectives: The objective of the NPRM is to provide an opportunity for public comment and to provide a record for a Commission decision on the issues stated above. The Commission is committed to reducing the regulatory burdens on small communications services companies whenever possible, consistent with our other public interest responsibilities. 53. Legal basis: The NPRM is adopted pursuant to Sections 1, 4, 222, 275, and 303(r) of the Communications Act of 1934, as amended, 47 U.S.C.  151, 154, 222, 275, and 303(r). 54. Description, potential impact, and number of small entities affected: Any rule changes that might occur as a result of this proceeding could impact small business entities, as defined in Section 601(3) of the Regulatory Flexibility Act. After evaluating the comments in this proceeding, the Commission will further examine the impact of any rule changes on small entities and set forth findings in the Final Regulatory Flexibility Analysis. The Secretary shall send a copy of this NPRM to the Chief Counsel for Advocacy of the Small Business Administration in accordance with Section 603(a) of the Regulatory Flexibility Act, Pub. L. No. 96-354, 94 Stat. 1164, 5 U.S.C.  601, et seq. (1981). 55. Reporting, recordkeeping and other compliance requirement: None. 56. Federal rules that overlap, duplicate or conflict with the Commission's proposal: None. 57. Any significant alternatives minimizing impact on small entities and consistent with stated objectives: The NPRM solicits comments on a variety of alternatives. 58. Comments are solicited: Written comments are requested on this Initial Regulatory Flexibility Analysis. These comments must be filed in accordance with the same filing deadlines set for comments on the other issues in this NPRM but they must have a separate and distinct heading designating them as responses to the Regulatory Flexibility Analysis. The Secretary shall send a copy of the Notice to the Chief Counsel for Advocacy of the Small Business Administration in accordance with Section 603(a) of the Regulatory Flexibility Act, 5 U.S.C.  601, et seq. C. Initial Paperwork Reduction Act of 1995 Analysis 59. This NPRM contains either a proposed or modified information collection. As part of its continuing effort to reduce paperwork burdens, we invite the general public and the Office of Management and Budget (OMB) to take this opportunity to comment on the information collections contained in this NPRM, as required by the Paperwork Reduction Act of 1995, Pub. L. No. 104-13. Public and agency comments are due at the same time as other comments on this NPRM; OMB comments are due 60 days from date of publication of this NPRM in the Federal Register. Comments should address: (a) whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information shall have practical utility; (b) the accuracy of the Commission's burden estimates; (c) ways to enhance the quality, utility, and clarity of the information collected; and (d) ways to minimize the burden of the collection of information on the respondents, including the use of automated collection techniques or other forms of information technology. D. Comment Filing Procedures 60. Pursuant to applicable procedures set forth in Sections 1.415 and 1.419 of the Commission's rules, 47 C.F.R.  1.415, 1.419, interested parties may file comments on or before June 11, 1996 and reply comments on or before June 26, 1996. To file formally in this proceeding, you must file an original and six (6) copies of all comments, reply comments, and supporting comments. If you want each Commissioner to receive a personal copy of your comments, you must file an original and eleven (11) copies. Comments and reply comments should be sent to Office of the Secretary, Federal Communications Commission, 1919 M Street, N.W., Room 222, Washington, D.C. 20554, with a copy to Janice Myles of the Common Carrier Bureau, 1919 M Street, N.W., Room 544, Washington, D.C. 20554. Parties should also file one copy of any documents filed in this docket with the Commission's copy contractor, International Transcription Services, Inc., 2100 M Street, N.W., Suite 140, Washington, D.C. 20037. Comments and reply comments will be available for public inspection during regular business hours in the FCC Reference Center, 1919 M Street, N.W., Room 239, Washington, D.C. 20554. 61. In order to facilitate review of comments and reply comments, both by parties and by Commission staff, we require that comments be no longer than twenty-five (25) pages and reply comments be no longer than fifteen (15) pages. Copies of specific proposed rules that conform to the C.F.R. format, relevant state orders, sample CPNI notification and authorization forms or letters, and empirical economic studies will not be counted against these page limits. Comments and reply comments must also comply with Section 1.49 and all other applicable sections of the Commission's Rules. 62. Parties are also asked to submit comments and reply comments on diskette. Such diskette submissions would be in addition to and not a substitute for the formal filing requirements addressed above. Parties submitting diskettes should submit them to Janice Myles of the Common Carrier Bureau, 1919 M Street, N.W., Room 544, Washington, D.C. 20554. Such a submission should be on a 3.5 inch diskette formatted in an IBM compatible form using MS DOS 5.0 and WordPerfect 5.1 software. The diskette should be submitted in "read only" mode. The diskette should be clearly labelled with the party's name, proceeding, type of pleading (comment or reply comments) and date of submission. The diskette should be accompanied by a cover letter. 63. Written comments by the public on the proposed and/or modified information collections are due June 11, 1996. Written comments must be submitted by the Office of Management and Budget (OMB) on the proposed and/or modified information collections on or before 60 days after date of publication in the Federal Register. In addition to filing comments with the Secretary, a copy of any comments on the information collections contained herein should be submitted to Dorothy Conway, Federal Communications Commission, Room 234, 1919 M Street, N.W., Washington, DC 20554, or via the Internet to dconway@fcc.gov and to Timothy Fain, OMB Desk Officer, 10236 NEOB, 725 - 17th Street, N.W., Washington, DC 20503 or via the Internet to fain_t@al.eop.gov. VI. ORDERING CLAUSES 64. Accordingly, IT IS ORDERED that pursuant to Sections 1, 4, 222, 275, and 303(r) of the Communications Act of 1934, as amended, 47 U.S.C.  151, 154, 222, 275, and 303(r), a NOTICE OF PROPOSED RULEMAKING is hereby ADOPTED. 65. IT IS FURTHER ORDERED that, the Secretary shall send a copy of this NOTICE OF PROPOSED RULEMAKING, including the regulatory flexibility certification, to the Chief Counsel for Advocacy of the Small Business Administration, in accordance with paragraph 603(a) of the Regulatory Flexibility Act, 5 U.S.C.  601 et seq. (1981). FEDERAL COMMUNICATIONS COMMISSION William F. Caton Acting Secretary Index Terms: $// NPRM, customer proprietary network information, CPNI, subscriber list information, alarm monitoring data safeguards //$ $/ 47 U.S.C.  222, 47 U.S.C.  275(d) /$