(a) Basis. The rules in this subpart are issued pursuant to the Communications Act of 1934, as amended.

(b) Purpose. The purpose of the rules in this subpart is to implement customer proprietary network information protections for users of telecommunications relay services and point-to-point video service pursuant to sections 4, 222, and 225 of the Communications Act of 1934, as amended, 47 U.S.C. 154,222,225.

(a) Address of record. An “address of record,” whether postal or electronic, is an address that the TRS provider has associated with the customer for at least 30 days.

(b) Affiliate. The term “affiliate” shall have the same meaning given such term in section 3 of the Communications Act of 1934, as amended, 47 U.S.C. 153.

(c) Call data information. The term “call data information” means any information that pertains to the handling of specific TRS calls, including the call record identification sequence, the communications assistant identification number, the session start and end times, the conversation start and end times, incoming and outbound telephone numbers, incoming and outbound internet protocol (IP) addresses, total conversation minutes, total session minutes, and the electronic serial number of the consumer device.

(d) Communications assistant (CA). The term “communications assistant” or “CA” shall have the same meaning given to the term in § 64.601(a) of this part.

(e) Customer. The term “customer” means a person:

(1) To whom the TRS provider provides TRS or point-to-point service, or

(2) Who is registered with the TRS provider as a default provider.

(f) Customer proprietary network information (CPNI). The term “customer proprietary network information” or “CPNI” means information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service used by any customer of a TRS provider; and information regarding a customer's use of TRS contained in the documentation submitted by a TRS provider to the TRS Fund administrator in connection with a request for compensation for the provision of TRS.

(g) Customer premises equipment (CPE). The term “customer premises equipment” or “CPE” shall have the same meaning given to such term in section 3 of the Communications Act of 1934, as amended, 47 U.S.C. 153.

(h) Default provider. The term “default provider” shall have the same meaning given such term in § 64.601(a) of this part.

(i) Internet-based TRS (iTRS). The term “Internet-based TRS” or “iTRS shall have the same meaning given to the term in § 64.601(a) of this part.

(j) iTRS access technology. The term “iTRS access technology” shall have the same meaning given to the term in § 64.601(a) of this part.

(k) Opt-in approval. The term “opt-in approval” shall have the same meaning given such term in § 64.5107(b)(1) of this subpart.

(l) Opt-out approval. The term “opt-out approval” shall have the same meaning given such term in § 64.5107(b)(2) of this subpart.

(m) Point-to-point service. The term “point-to-point service” means a service that enables a VRS or hearing customer to place and receive non-relay calls without the assistance of a communications assistant over the facilities of a VRS provider using VRS access technology. Such calls are made by means of ten-digit NANP numbers registered in the TRS Numbering Directory and assigned to VRS customers and hearing point-to-point customers by VRS providers. The term “point-to-point call” shall refer to a call placed via a point-to-point service.

(n) Readily available biographical information. The term “readily available biographical information” means information drawn from the customer's life history and includes such things as the customer's social security number, or the last four digits of that number; mother's maiden name; home address; or date of birth.

(o) Sign language. The term “sign language” shall have the same meaning given to the term in § 64.601(a) of this part.

(p) Telecommunications relay services (TRS). The term “telecommunications relay services” or “TRS” shall have the same meaning given to such term in § 64.601(a) of this part.

(q) Telephone number of record. The term “telephone number of record” means the telephone number associated with the provision of TRS, which may or may not be the telephone number supplied as part of a customer's “contact information.”

(r) TRS Fund. The term “TRS Fund” shall have the same meaning given to the term in § 64.604(c)(5)(iii) of this part.

(s) TRS provider. The term “TRS provider” means an entity that provides TRS and shall include an entity that provides point-to-point service.

(t) TRS-related services. The term “TRS-related services” means, in the case of traditional TRS, services related to the provision or maintenance of customer premises equipment, and in the case of iTRS, services related to the provision or maintenance of iTRS access technology, including features and functions typically provided by TRS providers in association with iTRS access technology.

(u) Valid photo ID. The term “valid photo ID” means a government-issued means of personal identification with a photograph such as a driver's license, passport, or comparable ID that has not expired.

(v) Video relay service. The term “video relay service” or VRS shall have the same meaning given to the term in § 64.601(a) of this part.

(w) VRS access technology. The term “VRS access technology” shall have the same meaning given to the term in § 64.601(a) of this part.

(a) A TRS provider may use, disclose, or permit access to CPNI for the purpose of providing or lawfully marketing service offerings among the categories of service (i.e., type of TRS) for which the TRS provider is currently the default provider for that customer, without customer approval.

(1) If a TRS provider provides different categories of TRS, and the TRS provider is currently the default provider for that customer for more than one category of TRS offered by the TRS provider, the TRS provider may share CPNI among the TRS provider's affiliated entities that provide a TRS offering to the customer.

(2) If a TRS provider provides different categories of TRS, but the TRS provider is currently not the default provider for that customer for more than one offering by the TRS provider, the TRS provider shall not share CPNI with its affiliates, except as provided in § 64.5107(b) of this subpart.

(b) A TRS provider shall not use, disclose, or permit access to CPNI as described in this paragraph (b).

(1) A TRS provider shall not use, disclose, or permit access to CPNI to market to a customer TRS offerings that are within a category of TRS for which the TRS provider is not currently the default provider for that customer, unless that TRS provider has customer approval to do so.

(2) A TRS provider shall not identify or track CPNI of customers that call competing TRS providers and, notwithstanding any other provision of this subpart, a TRS provider shall not use, disclose or permit access to CPNI related to a customer call to a competing TRS provider.

(c) A TRS provider may use, disclose, or permit access to CPNI, without customer approval, as described in this paragraph (c).

(1) A TRS provider may use, disclose or permit access to CPNI derived from its provision of TRS without customer approval, for the provision of CPE or iTRS access technology, and call answering, voice or video mail or messaging, voice or video storage and retrieval services.

(2) A TRS provider may use, disclose, or permit access to CPNI, without customer approval, in its provision of inside wiring installation, maintenance, and repair services.

(3) A TRS provider may use CPNI, without customer approval, to market services formerly known as adjunct-to-basic services, such as, but not limited to, speed dialing, call waiting, caller I.D., and call forwarding, only to those customers that are currently registered with that TRS provider as their default provider.

(4) A TRS provider shall use, disclose, or permit access to CPNI to the extent necessary to:

(i) Accept and handle 911/E911 calls;

(ii) Access, either directly or via a third party, a commercially available database that will allow the TRS provider to determine an appropriate Public Safety Answering Point, designated statewide default answering point, or appropriate local emergency authority that corresponds to the caller's location;

(iii) Relay the 911/E911 call to that entity; and

(iv) Facilitate the dispatch and response of emergency service or law enforcement personnel to the caller's location, in the event that the 911/E911 call is disconnected or the caller becomes incapacitated.

(5) A TRS provider shall use, disclose, or permit access to CPNI upon request by the administrator of the TRS Fund, as that term is defined in § 64.604(c)(5)(iii) of this part, or by the Commission for the purpose of administration and oversight of the TRS Fund, including the investigation and prevention of fraud, abuse, and misuse of TRS and seeking repayment to the TRS Fund for non-compensable minutes.

(6) A TRS provider may use, disclose, or permit access to CPNI to protect the rights or property of the TRS provider, or to protect users of those services, other TRS providers, and the TRS Fund from fraudulent, abusive, or unlawful use of such services.

(a) A TRS provider may obtain approval through written, oral, electronic, or sign language methods.

(1) A TRS provider relying on oral or sign language approval shall bear the burden of demonstrating that such approval has been given in compliance with the Commission's rules in this part.

(2) Approval or disapproval to use, disclose, or permit access to a customer's CPNI obtained by a TRS provider must remain in effect until the customer revokes or limits such approval or disapproval. A TRS provider shall accept any such customer revocation, whether in written, oral, electronic, or sign language methods.

(3) A TRS provider must maintain records of approval, whether oral, written, electronic, or sign language, during the time period that the approval or disapproval is in effect and for at least one year thereafter.

(b) Use of opt-in and opt-out approval processes. (1) Opt-in approval requires that the TRS provider obtain from the customer affirmative, express consent allowing the requested CPNI usage, disclosure, or access after the customer is provided appropriate notification of the TRS provider's request consistent with the requirements set forth in this subpart.

(2) With opt-out approval, a customer is deemed to have consented to the use, disclosure, or access to the customer's CPNI if the customer has failed to object thereto within the waiting period described in § 64.5108(d)(1) of this subpart after the TRS provider has provided to the customer appropriate notification of the TRS provider's request for consent consistent with the rules in this subpart.

(3) A TRS provider may only use, disclose, or permit access to the customer's individually identifiable CPNI with the customer's opt-in approval, except as follows:

(i) Where a TRS provider is permitted to use, disclose, or permit access to CPNI without customer approval under § 64.5105 of this subpart.

(ii) Where a TRS provider is permitted to use, disclose, or permit access to CPNI by making use of customer opt-in or opt-out approval under paragraph (?)(4) of this section.

(4) A TRS provider may make use of customer opt-in or opt-out approval to take the following actions with respect to CPNI:

(i) Use its customer's individually identifiable CPNI for the purpose of lawfully marketing TRS-related services to that customer.

(ii) Disclose its customer's individually identifiable CPNI to its agents and its affiliates that provide TRS-related services for the purpose of lawfully marketing TRS-related services to that customer. A TRS provider may also permit such persons or entities to obtain access to such CPNI for such purposes.

(a) Notification, generally. (1) Prior to any solicitation for customer approval to use, disclose, or permit access to CPNI, a TRS provider shall provide notification to the customer of the customer's right to deny or restrict use of, disclosure of, and access to that customer's CPNI.

(2) A TRS provider shall maintain records of notification, whether oral, written, electronic, or sign language, during the time period that the approval is in effect and for at least one year thereafter.

(b) Individual notice. A TRS provider shall provide individual notice to customers when soliciting approval to use, disclose, or permit access to customers' CPNI.

(c) Content of notice. Customer notification shall provide sufficient information in clear and unambiguous language to enable the customer to make an informed decision as to whether to permit a TRS provider to use, disclose, or permit access to, the customer's CPNI.

(1) The notification shall state that the customer has a right to deny any TRS provider the right to use, disclose or permit access to the customer's CPNI, and the TRS provider has a duty, under federal law, to honor the customer's right and to protect the confidentiality of CPNI.

(2) The notification shall specify the types of information that constitute CPNI and the specific entities that will use, receive or have access to the CPNI, describe the purposes for which CPNI will be used, and inform the customer of his or her right to disapprove those uses, and deny or withdraw the customer's consent to use, disclose, or permit access to access to CPNI at any time.

(3) The notification shall advise the customer of the precise steps the customer must take in order to grant or deny use, disclosure, or access to CPNI, and must clearly state that customer denial of approval will not affect the TRS provider's provision of any services to the customer. However, TRS providers may provide a brief statement, in clear and neutral language, describing consequences directly resulting from the lack of access to CPNI.

(4) TRS providers shall provide the notification in a manner that is accessible to the customer, comprehensible, and not misleading.

(5) If the TRS provider provides written notification to the customer, the notice shall be clearly legible, use sufficiently large type, and be placed in an area so as to be readily apparent to a customer.

(6) If any portion of a notification is translated into another language, then all portions of the notification must be translated into that language.

(7) A TRS provider may state in the notification that the customer's approval to use CPNI may enhance the TRS provider's ability to offer products and services tailored to the customer's needs. A TRS provider also may state in the notification that it may be compelled to disclose CPNI to any person upon affirmative written request by the customer.

(8) The notification shall state that any approval or denial of approval for the use of CPNI outside of the service for which the TRS provider is the default provider for the customer is valid until the customer affirmatively revokes or limits such approval or denial.

(9) A TRS provider's solicitation for approval to use, disclose, or have access to the customer's CPNI must be proximate to the notification of a customer's CPNI rights to non-disclosure.

(d) Notice requirements specific to opt-out. A TRS provider shall provide notification to obtain opt-out approval through electronic or written methods, but not by oral or sign language communication (except as provided in paragraph (f) of this section). The contents of any such notification shall comply with the requirements of paragraph (c) of this section.

(1) TRS providers shall wait a 30-day minimum period of time after giving customers notice and an opportunity to opt-out before assuming customer approval to use, disclose, or permit access to CPNI. A TRS provider may, in its discretion, provide for a longer period. TRS providers shall notify customers as to the applicable waiting period for a response before approval is assumed.

(i) In the case of an electronic form of notification, the waiting period shall begin to run from the date on which the notification was sent; and

(ii) In the case of notification by mail, the waiting period shall begin to run on the third day following the date that the notification was mailed.

(2) TRS providers using the opt-out mechanism shall provide notices to their customers every two years.

(3) TRS providers that use email to provide opt-out notices shall comply with the following requirements in addition to the requirements generally applicable to notification:

(i) TRS providers shall obtain express, verifiable, prior approval from consumers to send notices via email regarding their service in general, or CPNI in particular;

(ii) TRS providers shall either:

(A) Allow customers to reply directly to the email containing the CPNI notice in order to opt-out; or

(B) Include within the email containing the CPNI notice a conspicuous link to a Web page that provides to the customer a readily usable opt-out mechanism;

(iii) Opt-out email notices that are returned to the TRS provider as undeliverable shall be sent to the customer in another form before the TRS provider may consider the customer to have received notice;

(iv) TRS providers that use email to send CPNI notices shall ensure that the subject line of the message clearly and accurately identifies the subject matter of the email; and

(v) TRS providers shall make available to every customer a method to opt-out that is of no additional cost to the customer and that is available 24 hours a day, seven days a week. TRS providers may satisfy this requirement through a combination of methods, so long as all customers have the ability to opt-out at no cost and are able to effectuate that choice whenever they choose.

(e) Notice requirements specific to opt-in. A TRS provider may provide notification to obtain opt-in approval through oral, sign language, written, or electronic methods. The contents of any such notification shall comply with the requirements of paragraph (c) of this section.

(f) Notice requirements specific to one-time use of CPNI. (1) TRS providers may use oral, text, or sign language notice to obtain limited, one-time use of CPNI for inbound and outbound customer telephone, TRS, or point-to-point contacts for the duration of the call, regardless of whether TRS providers use opt-out or opt-in approval based on the nature of the contact.

(2) The contents of any such notification shall comply with the requirements of paragraph (c) of this section, except that TRS providers may omit any of the following notice provisions if not relevant to the limited use for which the TRS provider seeks CPNI:

(i) TRS providers need not advise customers that if they have opted-out previously, no action is needed to maintain the opt-out election;

(ii) TRS providers need not advise customers that the TRS provider may share CPNI with the TRS provider's affiliates or third parties and need not name those entities, if the limited CPNI usage will not result in use by, or disclosure to, an affiliate or third party;

(iii) TRS providers need not disclose the means by which a customer can deny or withdraw future access to CPNI, so long as the TRS provider explains to customers that the scope of the approval the TRS provider seeks is limited to one-time use; and

(iv) TRS providers may omit disclosure of the precise steps a customer must take in order to grant or deny access to CPNI, as long as the TRS provider clearly communicates that the customer can deny access to his or her CPNI for the call.

(a) TRS providers shall implement a system by which the status of a customer's CPNI approval can be clearly established prior to the use of CPNI. Except as provided for in §§ 64.5105 and 64.5108(f) of this subpart, TRS providers shall provide access to and shall require all personnel, including any agents, contractors, and subcontractors, who have contact with customers to verify the status of a customer's CPNI approval before using, disclosing, or permitting access to the customer's CPNI.

(b) TRS providers shall train their personnel, including any agents, contractors, and subcontractors, as to when they are and are not authorized to use CPNI, including procedures for verification of the status of a customer's CPNI approval. TRS providers shall have an express disciplinary process in place, including in the case of agents, contractors, and subcontractors, a right to cancel the applicable contract(s) or otherwise take disciplinary action.

(c) TRS providers shall maintain a record, electronically or in some other manner, of their own and their affiliates' sales and marketing campaigns that use their customers' CPNI. All TRS providers shall maintain a record of all instances where CPNI was disclosed or provided to third parties, or where third parties were allowed access to CPNI. The record shall include a description of each campaign, the specific CPNI that was used in the campaign, including the customer's name, and what products and services were offered as a part of the campaign. TRS providers shall retain the record for a minimum of three years.

(d) TRS providers shall establish a supervisory review process regarding TRS provider compliance with the rules in this subpart for outbound marketing situations and maintain records of TRS provider compliance for a minimum period of three years. Sales personnel must obtain supervisory approval of any proposed outbound marketing request for customer approval.

(e) A TRS provider shall have an officer, as an agent of the TRS provider, sign and file with the Commission a compliance certification on an annual basis. The officer shall state in the certification that he or she has personal knowledge that the company has established operating procedures that are adequate to ensure compliance with the rules in this subpart. The TRS provider must provide a statement accompanying the certification explaining how its operating procedures ensure that it is or is not in compliance with the rules in this subpart. In addition, the TRS provider must include an explanation of any actions taken against data brokers, a summary of all customer complaints received in the past year concerning the unauthorized release of CPNI, and a report detailing all instances where the TRS provider, or its agents, contractors, or subcontractors, used, disclosed, or permitted access to CPNI without complying with the procedures specified in this subpart. In the case of iTRS providers, this filing shall be included in the annual report filed with the Commission pursuant to § 64.606(g) of this part for data pertaining to the previous year. In the case of all other TRS providers, this filing shall be made annually with the Disability Rights Office of the Consumer and Governmental Affairs Bureau on or before March 1 in CG Docket No. 03-123 for data pertaining to the previous calendar year.

(f) TRS providers shall provide written notice within five business days to the Disability Rights Office of the Consumer and Governmental Affairs Bureau of the Commission of any instance where the opt-out mechanisms do not work properly, to such a degree that consumers' inability to opt-out is more than an anomaly.

(1) The notice shall be in the form of a letter, and shall include the TRS provider's name, a description of the opt-out mechanism(s) used, the problem(s) experienced, the remedy proposed and when it will be/was implemented, whether the relevant state commission(s) has been notified, if applicable, and whether the state commission(s) has taken any action, a copy of the notice provided to customers, and contact information.

(2) Such notice shall be submitted even if the TRS provider offers other methods by which consumers may opt-out.

(a) Safeguarding CPNI. TRS providers shall take all reasonable measures to discover and protect against attempts to gain unauthorized access to CPNI. TRS providers shall authenticate a customer prior to disclosing CPNI based on a customer-initiated telephone contact, TRS call, point-to-point call, online account access, or an in-store visit.

(b) Telephone, TRS, and point-to-point access to CPNI. A TRS provider shall authenticate a customer without the use of readily available biographical information, or account information, prior to allowing the customer telephonic, TRS, or point-to-point access to CPNI related to his or her TRS account. Alternatively, the customer may obtain telephonic, TRS, or point-to-point access to CPNI related to his or her TRS account through a password, as described in paragraph (e) of this section.

(c) Online access to CPNI. A TRS provider shall authenticate a customer without the use of readily available biographical information, or account information, prior to allowing the customer online access to CPNI related to his or her TRS account. Once authenticated, the customer may only obtain online access to CPNI related to his or her TRS account through a password, as described in paragraph (e) of this section.

(d) In-store access to CPNI. A TRS provider may disclose CPNI to a customer who, at a TRS provider's retail location, first presents to the TRS provider or its agent a valid photo ID matching the customer's account information.

(e) Establishment of a password and back-up authentication methods for lost or forgotten passwords. To establish a password, a TRS provider shall authenticate the customer without the use of readily available biographical information, or account information. TRS providers may create a back-up customer authentication method in the event of a lost or forgotten password, but such back-up customer authentication method may not prompt the customer for readily available biographical information, or account information. If a customer cannot provide the correct password or the correct response for the back-up customer authentication method, the customer shall establish a new password as described in this paragraph.

(f) Notification of account changes. TRS providers shall notify customers immediately whenever a password, customer response to a back-up means of authentication for lost or forgotten passwords, online account, or address of record is created or changed. This notification is not required when the customer initiates service, including the selection of a password at service initiation. This notification may be through a TRS provider-originated voicemail, text message, or video mail to the telephone number of record, by mail to the physical address of record, or by email to the email address of record, and shall not reveal the changed information or be sent to the new account information.

(a) A TRS provider shall notify law enforcement of a breach of its customers' CPNI as provided in this section. The TRS provider shall not notify its customers or disclose the breach publicly, whether voluntarily or under state or local law or these rules, until it has completed the process of notifying law enforcement pursuant to paragraph (b) of this section. The TRS provider shall file a copy of the notification with the Disability Rights Office of the Consumer and Governmental Affairs Bureau at the same time as when the TRS provider notifies the customers.

(b) As soon as practicable, and in no event later than seven (7) business days, after reasonable determination of the breach, the TRS provider shall electronically notify the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI) through a central reporting facility. The Commission will maintain a link to the reporting facility at http://www.fcc.gov/eb/cpni.

(1) Notwithstanding any state law to the contrary, the TRS provider shall not notify customers or disclose the breach to the public until 7 full business days have passed after notification to the USSS and the FBI except as provided in paragraphs (b)(2) and (3) of this section.

(2) If the TRS provider believes that there is an extraordinarily urgent need to notify any class of affected customers sooner than otherwise allowed under paragraph (b)(1) of this section, in order to avoid immediate and irreparable harm, it shall so indicate in its notification and may proceed to immediately notify its affected customers only after consultation with the relevant investigating agency. The TRS provider shall cooperate with the relevant investigating agency's request to minimize any adverse effects of such customer notification.

(3) If the relevant investigating agency determines that public disclosure or notice to customers would impede or compromise an ongoing or potential criminal investigation or national security, such agency may direct the TRS provider not to so disclose or notify for an initial period of up to 30 days. Such period may be extended by the agency as reasonably necessary in the judgment of the agency. If such direction is given, the agency shall notify the TRS provider when it appears that public disclosure or notice to affected customers will no longer impede or compromise a criminal investigation or national security. The agency shall provide in writing its initial direction to the TRS provider, any subsequent extension, and any notification that notice will no longer impede or compromise a criminal investigation or national security and such writings shall be contemporaneously logged on the same reporting facility that contains records of notifications filed by TRS providers.

(c) Customer notification. After a TRS provider has completed the process of notifying law enforcement pursuant to paragraph (b) of this section, and consistent with the waiting requirements specified in paragraph (b) of this section, the TRS provider shall notify its customers of a breach of those customers' CPNI.

(d) Recordkeeping. All TRS providers shall maintain a record, electronically or in some other manner, of any breaches discovered, notifications made to the USSS and the FBI pursuant to paragraph (b) of this section, and notifications made to customers. The record must include, if available, dates of discovery and notification, a detailed description of the CPNI that was the subject of the breach, and the circumstances of the breach. TRS providers shall retain the record for a minimum of 2 years.

(e) Definition. As used in this section, a “breach” has occurred when a person, without authorization or exceeding authorization, has intentionally gained access to, used, or disclosed CPNI.

(f) This section does not supersede any statute, regulation, order, or interpretation in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this section, and then only to the extent of the inconsistency.