Why Telecommunications Companies Must Strengthen Data Privacy Compliance Under the Communications Act
Filed in Federal Privacy — October 9, 2025
October 10, 2025
Introduction
Telecommunications companies are the backbone of modern connectivity—powering everything from phone calls and broadband to cloud-based communications and mobile data services. But with great connectivity comes a significant responsibility to protect consumer information.
Under the Communications Act of 1934, as amended by the Telecommunications Act of 1996, telecommunications carriers must safeguard the confidentiality of customer data. The Federal Communications Commission (FCC), which enforces these laws, continues to strengthen its stance on privacy protection—particularly concerning Customer Proprietary Network Information (CPNI) and unauthorized data sharing.
Recent enforcement actions show that non-compliance can cost companies millions in penalties and long-term reputational damage. In one landmark case, AT&T paid $25 million to settle an FCC investigation after employees at overseas call centers accessed and sold customer information—including names and Social Security numbers—without authorization.
More recently, the FCC imposed nearly $200 million in fines across major wireless carriers—AT&T, Verizon, T-Mobile, and Sprint—after investigations found that the companies had shared customers’ real-time location data with third-party aggregators without proper consent or safeguards.
These cases highlight the FCC’s aggressive enforcement approach and the growing expectation that telecommunications providers strengthen their compliance with the Communications Act’s privacy provisions.
What the Communications Act Requires
The Communications Act sets out several consumer protection mandates, but the most privacy-relevant are those concerning Customer Proprietary Network Information (CPNI).
CPNI refers to data that telecommunications carriers collect about their customers through the provision of telecommunications services. This includes:
- Call records (time, duration, and destination)
- Service usage details
- Billing information
- Device identifiers and location data
Under Section 222 of the Communications Act, carriers have a duty to protect the confidentiality of this information. They may not use, disclose, or allow access to CPNI without customer consent, except in specific lawful circumstances.
The FCC also enforces rules requiring telecommunications carriers to:
- Obtain opt-in consent before sharing CPNI with third parties for marketing or analytics.
- Provide annual compliance certifications.
- Implement robust authentication procedures to prevent “pretexting,” where bad actors impersonate customers to obtain data.
- Report any data breaches to federal law enforcement and affected consumers in a timely manner.
Recent FCC Enforcement Actions in Telecommunications
Recent cases demonstrate that the FCC is aggressively enforcing privacy obligations across the telecommunications industry:
- AT&T, Verizon, T-Mobile, and Sprint (2024) – The FCC finalized enforcement actions totaling nearly $200 million against the nation’s largest wireless carriers for sharing customers’ location data with third-party aggregators without proper consent. These actions followed multi-year investigations into data practices that allowed unauthorized access by bounty hunters and other intermediaries.
- TracFone Wireless (2024) – The FCC announced a $16 million settlement resolving investigations into multiple data breaches and failures to properly authenticate customer accounts before allowing SIM swaps—practices that exposed consumers to identity theft and unauthorized account takeovers.
- Lumen Technologies (formerly CenturyLink) – While no privacy-specific fine was issued in 2022, the FCC has taken enforcement actions against Lumen for operational lapses affecting 911 services and network reliability, underscoring the regulator’s broad enforcement scope across consumer protection and communications security.
These enforcement trends show a clear message from regulators: telecommunications companies must take proactive, demonstrable steps to secure customer information and prevent misuse.
Why It Matters for Telecommunications Leaders
Telecommunications companies handle some of the most sensitive categories of consumer data—from call metadata to location and browsing information. Mishandling this data can lead not only to FCC penalties but also lawsuits, reputational loss, and diminished customer trust.
Key risks for telecom decision-makers include:
- Data Sharing Without Consent – Even seemingly harmless analytics partnerships may violate Section 222 if customer data is shared without explicit authorization.
- Insufficient Authentication Controls – Weak or outdated authentication methods invite fraudsters to gain access through pretexting or SIM-swapping attacks.
- Lack of Breach Reporting Preparedness – Failure to follow FCC’s mandatory breach reporting requirements can result in additional fines or penalties.
- Inadequate Oversight of Third Parties – If vendors or resellers mishandle customer data, the carrier itself remains accountable under the law.
Compliance Steps for Telecommunications Companies
To strengthen compliance and mitigate risks, telecommunications leaders should prioritize the following actions:
| Step | Action |
| Assess and Classify Data | Identify all categories of CPNI and determine how they are collected, stored, and shared. |
| Review Consent Mechanisms | Ensure customer consent for data use is clear, specific, and verifiable. Avoid opt-out models for sensitive data. |
| Strengthen Authentication | Implement multi-factor authentication (MFA) for customer access and internal staff systems to prevent unauthorized disclosures. |
| Enhance Vendor Oversight | Require third-party service providers to follow the same CPNI protection standards and audit their compliance regularly. |
| Establish Breach Protocols | Develop written procedures for detecting, documenting, and reporting breaches under FCC timelines. |
| Annual Certification | File annual CPNI compliance certifications with the FCC, as required by law. |
A Compliance Opportunity, Not Just an Obligation
For telecommunications companies, compliance with the Communications Act and FCC privacy rules is more than a legal requirement—it’s an opportunity to demonstrate reliability and trustworthiness to both customers and regulators.
Organizations that actively manage their privacy frameworks gain a distinct advantage in an era where consumers are increasingly aware of how their data is handled.
Partner with The Data Privacy Lawyer PLLC
At The Data Privacy Lawyer PLLC, we provide strategic, industry-specific guidance to help telecommunications companies comply with the Communications Act and related FCC privacy mandates.
Our services include:
- CPNI compliance audits
- Privacy and breach reporting protocol development
- Vendor and partner data-sharing assessments
- Regulatory policy interpretation and staff training
📞 +1 (202) 946-5970
📧 info@thedataprivacylawyer.com
🌐 www.thedataprivacylawyer.com
🔗 https://linktr.ee/thedataprivacylawyer
A practical checklist to evaluate and strengthen the foundation of your privacy program—so you’re not caught off guard by gaps, risks, or outdated practices.
When compliance feels overwhelming, it’s easy to freeze or delay action. This checklist helps you cut through the noise, identify what’s missing, and move forward with clarity and confidence. Let’s simplify the complex and get your privacy program into proactive, aligned motion.
