FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011)
47 CFR Part 64 Subpart U (sections 64.2001 to 64.2011) is the US Federal Communications Commission rulemaking implementing Section 222 of the Communications Act of 1934 + the CPNI Order. CPNI is information that relates to the quantity + technical configuration + type + destination + location + amount of use of a telecommunications service subscribed to by a customer + made available to the carrier by the customer solely by virtue of the carrier-customer relationship. CPNI typically includes: call detail records (CDR) - origination + destination + duration + frequency + time of calls; service plan information + features + billing; geographic / location data; technical configuration of customer service. The CPNI rules apply to: telecommunications carriers + interconnected VoIP providers + (post-2016) broadband internet access service providers under FCC Title II classification (since reversed). Core requirements: (a) use + disclosure restrictions under Section 222 (CPNI may only be used for the provision of telecommunications services + adjacent services unless customer approval is obtained); (b) approval mechanisms - opt-in for non-affiliated third parties + opt-out for affiliated marketing of additional services (Section 64.2004); (c) notice requirements for customer approval (Section 64.2008); (d) safeguards on use + disclosure (Sections 64.2009 + 64.2010 - personnel training + supervisory review + authentication for online + telephone + in-store account access + password protection); (e) DATA BREACH NOTIFICATION (Section 64.2011 - law enforcement notification within 7 business days to USSS + FBI via FCC ECPNI portal + customer notification after the 7-business-day waiting period unless law enforcement extends + recordkeeping for 2 years); (f) annual compliance certification by a corporate officer with personal knowledge (filed with FCC by 1 March each year). The FCC CPNI rules have been amended multiple times: 2007 CPNI Order (pretexting + authentication strengthening following the HP pretexting scandal); 2009 CPNI Order (further authentication + password protection); 2011 Data Breach Order (Section 64.2011 breach notification framework + recordkeeping); 2017 FCC Broadband Privacy rules (FCC 16-148 - REPEALED by Congressional Review Act in April 2017 + replaced by common-carrier rules); 2024 FCC Section 222 enforcement action against major carriers for sale of customer location data (Verizon + AT&T + T-Mobile + Sprint - hundreds of millions in fines).
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (6)
FCC CPNI: Annual Compliance Certification and Recordkeeping
| Code | Title |
|---|---|
| CPNI-AnnualCert | Annual compliance certification - 1 March deadline (47 CFR 64.2009(e)) |
| CPNI-Recordkeeping | Recordkeeping requirements (multi-rule) |
FCC CPNI: Basis, Purpose and Definitions (64.2001-64.2003)
| Code | Title |
|---|---|
| CPNI-64.2001_2003 | Basis, purpose and definitions (47 CFR 64.2001 + 64.2003) |
| CPNI-Status | FCC CPNI - corpus status, enforcement landscape, broadband privacy |
FCC CPNI: Data Breach Notification (64.2011)
| Code | Title |
|---|---|
| CPNI-64.2011 | Notification of CPNI security breaches (47 CFR 64.2011) |
FCC CPNI: Personnel Training and Marketing Campaign Records
| Code | Title |
|---|---|
| CPNI-Marketing-OBM | Outbound marketing (OBM) records and supervisory review (47 CFR 64.2009(b)-(c)) |
| CPNI-Personnel | Personnel training and disciplinary process (47 CFR 64.2009(a)) |
FCC CPNI: Safeguards on Use and Disclosure (64.2009-64.2010)
| Code | Title |
|---|---|
| CPNI-64.2009 | Safeguards required for use of CPNI (47 CFR 64.2009) |
| CPNI-64.2010 | Safeguards on disclosure - authentication for account access (47 CFR 64.2010) |
| CPNI-Vendor | Third party and joint venture CPNI restrictions (47 CFR 64.2007 + 64.2009) |
FCC CPNI: Use, Approval and Notice (64.2004-64.2008)
| Code | Title |
|---|---|
| CPNI-64.2004 | Customer approval mechanisms - opt-in and opt-out (47 CFR 64.2004) |
| CPNI-64.2005_2007 | Use of CPNI without customer approval + approval required for use (47 CFR 64.2005-64.2007) |
| CPNI-64.2008 | Notice requirements for use of CPNI (47 CFR 64.2008) |
Your Compliance Coverage
If you comply with FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011), you already cover:
Maps to 35 other frameworks
Frequently Asked Questions
What is FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011)?
FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011) is a compliance framework from United States (FCC) with 6 domains and 13 controls. 47 CFR Part 64 Subpart U (sections 64.2001 to 64.2011) is the US Federal Communications Commission rulemaking implementing Section 222 of the Communications Act of 1934 + the CPNI Order. CPNI is information that relates to the quantity + technical configuration + type + destination + location + amount of use of a telecommunications service subscribed to by a customer + made available to the carrier by the customer solely by virtue of the carrier-customer relationship. CPNI typically includes: call detail records (CDR) - origination + destination + duration + frequency + time of calls; service plan information + features + billing; geographic / location data; technical configuration of customer service. The CPNI rules apply to: telecommunications carriers + interconnected VoIP providers + (post-2016) broadband internet access service providers under FCC Title II classification (since reversed). Core requirements: (a) use + disclosure restrictions under Section 222 (CPNI may only be used for the provision of telecommunications services + adjacent services unless customer approval is obtained); (b) approval mechanisms - opt-in for non-affiliated third parties + opt-out for affiliated marketing of additional services (Section 64.2004); (c) notice requirements for customer approval (Section 64.2008); (d) safeguards on use + disclosure (Sections 64.2009 + 64.2010 - personnel training + supervisory review + authentication for online + telephone + in-store account access + password protection); (e) DATA BREACH NOTIFICATION (Section 64.2011 - law enforcement notification within 7 business days to USSS + FBI via FCC ECPNI portal + customer notification after the 7-business-day waiting period unless law enforcement extends + recordkeeping for 2 years); (f) annual compliance certification by a corporate officer with personal knowledge (filed with FCC by 1 March each year). The FCC CPNI rules have been amended multiple times: 2007 CPNI Order (pretexting + authentication strengthening following the HP pretexting scandal); 2009 CPNI Order (further authentication + password protection); 2011 Data Breach Order (Section 64.2011 breach notification framework + recordkeeping); 2017 FCC Broadband Privacy rules (FCC 16-148 - REPEALED by Congressional Review Act in April 2017 + replaced by common-carrier rules); 2024 FCC Section 222 enforcement action against major carriers for sale of customer location data (Verizon + AT&T + T-Mobile + Sprint - hundreds of millions in fines). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011) have?
FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011) has 13 controls organised across 6 domains. The largest domains are FCC CPNI: Safeguards on Use and Disclosure (64.2009-64.2010) (3 controls), FCC CPNI: Use, Approval and Notice (64.2004-64.2008) (3 controls), FCC CPNI: Annual Compliance Certification and Recordkeeping (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011) map to?
FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011) maps to 35 other compliance frameworks. The top mapping partners are ISO/IEC 27400:2022 (38% coverage), ISO 19011 (38% coverage), ISO 15189:2022 - Medical Laboratories Requirements for Quality and Competence (38% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011) compliance?
Start your FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about FCC Customer Proprietary Network Information (CPNI) and Data Breach Rules (47 CFR 64.2001-2011) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 13 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 718 frameworks.
Get Started Free →Free forever — no credit card required