The obligations imposed by Section 222 of the Communications Act are limited to telecommunications carriers in relation to their provision of telecommunications service.  This includes providers of interconnected voice over Internet protocol service.¹  Moreover, Section 222 only applies to consumer proprietary network information (CPNI), which is defined as “(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.”²

For entities and data that fall within the scope of these rules, there are a very specific set of requirements and limitations.  In particular:

• Carriers may use or disclose a customer’s CPNI on an implied consent basis for a certain number of uses, such as providing services to which the customer subscribes and protecting its own rights and property.  However, other uses or purposes for disclosing or permitting access to a customer’s information require the carrier to obtain the customer’s opt-out, and in some cases, opt-in consent, including some marketing- and advertising-related activities.³
• Carriers are also subject to certain notice, data protection, and compliance obligations.  For example, carriers must (i) provide notice to customers of their rights in regard to their CPNI before soliciting their approval in accordance with requirements governing the content and placement of these notices; (ii) implement certain physical and procedural measures to safeguard their use and disclosure of CPNI; (iii) comply with recordkeeping obligations and file an annual filing on or before March 1 certifying compliance with the FCC’s rules governing the safeguards for the use of CPNI; and (iv) in the event that there is a breach of their CPNI, notify affected customers and law enforcement.⁴

¹ 47 USC § 222.