We hope that you remembered to "spring forward" over the weekend --
Today's Privacy Monday is a bit longer than usual - but an important read, particularly if you are a mobile app developer.
California Public Utilities Commission Declines to Develop New Regulations and Standards for Wireless Carriers and Mobile App Providers . . . for Now, at Least
Written by Jake Romero
Certain things in life are a certainty; death and taxes, for example, or Jennifer Lawrence falling down at the Oscars. Until recently, a good argument could have been made that California agreeing to implement new data privacy regulations was one of those certainties. At its January 16, 2014 meeting, however, the California Public Utilities Commission (“CPUC”) declined a request to develop privacy standards for wireless carriers and mobile applications. The denial comes in response to a Petition for Rulemaking filed by a collection of consumer groups (the “Petition”) such as the Consumer Federation of California, the Privacy Rights Clearinghouse and the Utility Reform Network. The CPUC Decision (which can be read in its entirety here) concludes that “[g]iven the lack of documented examples of actual breaches of customer privacy by telecommunications corporations, as well as the existence of a variety of laws and regulations governing the treatment of potentially sensitive customer information by businesses in general and telecommunications providers in particular, it is not clear that a review of the company privacy practices in California is needed at this time.”
The Petition, which was originally filed on November 8, 2012, requested that the CPUC (1) initiate a new rulemaking to review the customer information that telephone corporations collect or have access to, along with those companies’ practices in handling and using that information; (2) develop standards for the collection, handling, and sharing of customer information to ensure that customers are aware of what information may be collected and how that information may be used; and (3) extend the applicability of its privacy rules to third parties under contract with telecommunications providers, as well as other third parties that use the phone as a platform, such as mobile applications. Had the CPUC agreed with the petitioners, the additional rules would have added to an already crowded regulatory mix in California. However, the petitioners argued that additional rules are necessary because of the rapid development of communication technologies, and that any additional rules promulgated by the CPUC could help to update and modernize current regulations.
Opposition comments to the Petition were filed by CTIA, AT&T and its affiliated companies and MetroPCS California. The opposing party comments made two primary arguments in favor of denying the Petition; one procedural and one substantive. On procedural grounds, the opposing parties argued that the Petition attempts to reach non-regulated services and providers, over which the CPUC has limited authority, without clear justification. Substantively, the opposition argued that additional rulemaking is unnecessary because existing laws and policies already protect the privacy of customer information available to telecommunications carriers, and carriers already have internal privacy policies in place to comply with California state law.
In denying the Petition, the CPUC agreed with the opposing parties that federal and state laws governing the protection and use of, among other things, information that relates to the use of telecommunications services, already address privacy issues related to customer data, and that such laws had been updated and revised on an ongoing basis in response to further technological development. The CPUC noted that the Petition was specifically focused on third-party applications, but found that the Petition was unable to identify types of information collected or accessible by these parties that would not already be covered by federal or state privacy laws. Moreover, the application of the federal and state laws applicable to mobile application providers are primary enforced by entities other than the CPUC, such as the Federal Trade Commission or States’ Attorneys General. In the absence of “clearer documentation of gaps in existing privacy laws and regulations, as well as examples of actual harm from such privacy violations” the CPUC denied the Petition.
There are a few key takeaways from the CPUC decision. First, notwithstanding its conclusions, the CPUC left the door open for the petitioners to return with further information and developments in the future. The CPUC noted that because of rapid changes in communications technology, it is possible that concerns may develop that would need to be addressed. Second, the Petition’s focus on mobile applications is yet another indication that concerns about mobile privacy and continuing to grow. Following months of front-page news stories about data breaches and Apple’s own high-profile security update, it is unlikely that these concerns will diminish any time soon. On the other hand, online service providers just recently dealt with a barrage of new California regulations. The CPUC’s decision not to add to the regulatory web at this point will likely be welcome news for online service providers.