Telecommunications & Data Privacy: CPNI and the FCC

We close Domain two with telecommunications privacy, the F-C-C's turf. The Federal Communications Commission regulates telephone carriers, cable operators, and broadcasters, and telecom companies sit on uniquely sensitive information: who you called, when, for how long, and which services you buy. The exam doesn't go deep here, the 2025 blueprint nudged this topic up only slightly, but it expects you to recognize the core regime, customer proprietary network information rules, and to distinguish the F-C-C's role from the F-T-C's.

Think of this as a focused, predictable handful of questions: know the term C-P-N-I, know the cable rule, and know which agency owns telecom.

The central concept is customer proprietary network information, C-P-N-I, defined under section two twenty-two of the Communications Act. C-P-N-I is the information a carrier gets about a customer's use of its telecom services, the numbers called, the type, destination, and amount of use, and the services the customer subscribes to. A carrier may use C-P-N-I to provide the service the customer bought.

But using it to market other categories of service generally requires the customer's approval, through opt-in or opt-out depending on the situation, and sharing it with third parties is tightly controlled. Carriers must also safeguard C-P-N-I, authenticate customers before disclosing it, and report C-P-N-I breaches to law enforcement. So C-P-N-I is essentially sectoral privacy for the things a phone company learns about you.

Alongside C-P-N-I, the exam touches the Cable Communications Policy Act, section five fifty-one of title forty-seven, which gives cable subscribers a set of privacy protections that predate most internet-era laws. Cable operators must tell subscribers, in a periodic notice, what personally identifiable information they collect, how it's used, and to whom it's disclosed. They're limited in collecting personally identifiable information without consent and in disclosing it, with exceptions for providing service and for some legal demands.

Subscribers also get a right to access information held about them. It's a compact regime, but it's a useful reminder that distinct media, telephone, cable, video, each picked up their own privacy statute, reinforcing the sectoral pattern that runs through the whole exam.

Telecom privacy overlaps the marketing rules from the last two lectures, and the exam can blend them. The TCPA's robocall and text rules also live at the F-C-C, so a phone carrier can face C-P-N-I obligations about its customers' usage data and TCPA obligations about how it markets to them at the same time. One area that has shifted is privacy for broadband internet access, regulatory authority over it has moved with changes in how broadband is classified, which is why the exam tends to stay on the stable ground of C-P-N-I and cable rather than the contested edges.

The key discipline is not to confuse C-P-N-I, which is specifically about telecom usage, with ordinary consumer data, which falls under the F-T-C or state law.

To make C-P-N-I concrete, look at how carriers must actually protect it, because the exam favors operational detail. A central risk is pretexting, where someone impersonates a customer, or a carrier's own employee is tricked, to pry account records loose. To counter it, F-C-C rules require carriers to authenticate customers before disclosing C-P-N-I, for instance by using a password rather than readily available information like the last four digits of a Social Security number, and to notify customers when account passwords or addresses change or when an account is accessed.

Carriers must also safeguard the data, train staff, and file annual certifications with the F-C-C confirming their C-P-N-I compliance. The takeaway is that telecom privacy isn't just a definition, it's an authentication-and-notification regime built to stop social-engineering attacks on customer records, which is exactly the kind of scenario an exam item describes.

Let's set the reasoning and then zoom out. If the data is a customer's telecom usage, think C-P-N-I and the F-C-C; if it's cable-subscriber information, think the Cable Act; if it's phone or text marketing, think the TCPA, also at the F-C-C. The distractor here applies C-P-N-I to data a phone company holds that isn't telecom-usage information, C-P-N-I is narrow.

Now the Domain two wrap-up, because this is the federal-sectoral heart of the exam. You've now mapped the full set: the F-T-C as the cross-sector backstop, HIPAA for health, GLBA and F-C-R-A for financial and credit, FERPA for education, COPPA for children, the TCPA, T-S-R, CAN-SPAM, and VPPA for marketing, and C-P-N-I and the Cable Act for telecom. Anchor every Domain two question by first naming the sector and the actor.

Now go test yourself, then we move to government and court access to data.