On Tuesday, September 3, the FCC’s Enforcement Bureau announced that it had entered into a consent decree with Verizon, under which Verizon will pay $7.4 million to the U.S. Treasury for violating the FCC’s “Customer Proprietary Network Information” (“CPNI”) rules—the agency’s customer privacy rules applicable to telecommunications carriers. The FCC hailed this settlement as “the largest such payment in FCC history for settling an investigation related solely to the privacy of telephone customers’ personal information.” This decree is the latest in a recent pattern of stepped-up FCC enforcement actions involving record penalties against service providers for violations of the agency’s privacy and consumer protection-related regulations.

In the consent decree, Verizon acknowledged that it had failed to send CPNI “opt-out” notices to about 2 million new customers between 2006 and 2012. The CPNI rules (47 C.F.R. 64.2001 et seq.), adopted by the FCC under Section 222 of the Telecommunications Act of 1996 (47 U.S.C. 222), require telecom carriers to protect individually identifiable customer information that they possess by virtue of the carrier-customer relationship, and, among other things, require carriers to give every customer the option to “opt out” of allowing the carrier to use such information to market additional services to customers. Before seeking customer approval to use or disclose their CPNI, carriers must notify all customers of their right to restrict access to and use of their CPNI and to deny or withdraw permission for such uses at any time, and to specifically “advise the customer of the precise steps the customer must take in order to grant or deny access to CPNI.”

For most carrier marketing uses of CPNI, the carrier may seek express “opt-in” customer consent or, in the case of the carrier’s own use or disclosure to its "affiliates" providing "communications-related services," permit the customer to “opt-out” of such uses. Verizon had chosen the latter method, which must be in written or electronic form and must give a customer 30-day notice and opportunity to opt out before any marketing use of his or her CPNI. The “opt-out” notice must be repeated every two years and is subject to additional very specific requirements. In late 2012 Verizon discovered that it had failed to send the required CPNI opt-out notifications to many new business and residential customers. Although the FCC rules require carriers to notify it of any failures in their opt-out processes within five business days of discovery, Verizon did not notify the FCC of this failure until four months later, in January 2013.

In addition to the $7.4 million payment, the consent decree requires Verizon to send opt-out notices on every invoice sent to every customer for the next three years, to implement a strict compliance plan entailing new operating procedures to prevent future violations, and to report any future failures to the FCC within the prescribed five day timeframe.