• Provides private right of action
• Excludes internet services via cable
• Defines cable service” one way transmission to subscribers of video programming or other
programming service and subscriber interaction if any which is required for the selection of such
video programming or other programming service
• Cable service providers must give a privacy notice that clearly and conspicuously informs subscribers of
o The nature of the PI collected
o How such info will be used
o The retention period of such info
o The manner by which the subscriber can access and correct such info
• A Cable provider can only collect PI that is necessary to render cable services or detect the
unauthorized reception of services
• Limits cable service providers right to disseminate PI without written or electronic consent.
Exceptions:
o To the extent necessary to render services or conduct other legit business activities
o Subject to a court order with notice to the subscriber
o If the disclosure is limited to the name and addresses and the subscriber is given an
option to opt out
• Mandates PI be destroyed when it is no longer needed for the purpose for which it was
collected and there are no pending requests for access
• Conflicts with the ECPA’s provision that no notice is needed for court orders. Courts rule in favor of ECPA
Section 222 governs the privacy of customer info provided to and obtained by
telecommunications carriers. Prior, carriers were permitted to sell consumer data to third
parties w/o consent. This statute imposes new restrictions on the access, use, and disclosure of
customer proprietary network info (CPNI)
• ISPs are subject to general CPNI requirements
• Carriers can use and disclose CPNI only with customer approval or as required by law
• FCC governs
• U.S West Inc v FCC made standard switch to opt out for carrier’s own use of CPNI
• Carriers must obtain express consent to share data with third parties. Sharing is allowed with
joint venture or independent contractors unless customers opted out within 30 days of being
notified. Must opt in if the data shared will be for marketing purposes
• Other requirements:
o Carriers must notify law enforcement when CPNI is disclosed in a security breach w/in seven business days of the breach
o Customers must provide a password before they can access their CPNI via telephone or
online account services
o Carriers must certify their compliance with these laws annually, explain how their
systems ensure compliance and provide an annual summary of consumer complaints
related to unauthorized disclosure of CPNI