Federal Communications Commission
Washington, D.C. 20554
June 6, 2008
DA 08-1321
Small Entity Compliance Guide
Customer Proprietary Network Information (CPNI)
FCC 07-22
FCC 02-214
CC Docket No. 96-115
This Guide is prepared in accordance with the requirements of Section 212 of 
the Small Business Regulatory Enforcement Fairness Act of 1996.  It is 
intended to help small entities—small businesses, small organizations (non-
profits), and small governmental jurisdictions—comply with the new rules 
adopted in the above-referenced FCC rulemaking dockets.  This Guide is not 
intended to replace the rules, which provide the final authority in this 
context.  Although we have attempted to cover all parts of the rules that 
might be especially important to small entities, the coverage may not be 
exhaustive.  This Guide may not apply in a particular situation based upon 
the circumstances, and the FCC retains the discretion to adopt approaches 
on a case-by-case basis that may differ from this Guide.  Any decisions 
regarding a particular small entity will be based on application of the statute 
and regulations.  Interested parties are free to file comments regarding this 
Guide and its application to a particular situation; the FCC will consider 
whether the recommendations or interpretations in the Guide are 
appropriate in that situation.  The FCC may revise this Guide without public 
notice to clarify or update the contents.  Direct your comments and 
recommendations, or calls for further assistance, to the FCC’s Consumer 
Center:
1-888-CALL-FCC  (1-888-225-5322)
 
TTY: 1-888-TELL-FCC  (1-888-835-5322)
 
Fax: 202-418-0232
fccinfo@fcc.gov
2
Table of Contents
I. OBJECTIVES OF THE PROCEEDING ..................................................................................3
II. COMPLIANCE REQUIREMENTS .........................................................................................3
A. Rule Requirements ..............................................................................................................3
B. Notification Requirements...................................................................................................5
C. Recordkeeping Requirements............................................................................................10
D. Filing Requirements ..........................................................................................................12
III. COMPLIANCE DATES .........................................................................................................13
IV. IMPORTANT DEFINITIONS................................................................................................13
V. WEB LINKS ...........................................................................................................................17
3
I. OBJECTIVES OF THE PROCEEDING 
Ų Protect private information of customers of telecommunications carriers and
interconnected Voice over Internet Protocol (VoIP) service providers
o Congress recognized both that telecommunications carriers are in a unique 
position to collect sensitive personal information – including to whom, where and 
when their customers call – and that customers maintain an important privacy 
interest in protecting this information from disclosure and dissemination.  
Accordingly, section 222 of the Communications Act, 47 U.S.C. § 222, requires 
telecommunications carriers (and interconnected VoIP service providers) to take 
specific steps to ensure that customer proprietary network information (CPNI) is 
adequately protected from unauthorized disclosure.  
Ų Sharply limit pretexters’ ability to obtain unauthorized access to CPNI
o Data brokers, or pretexters, have obtained unauthorized access to CPNI.  
Mandatory password protections for online access, use of passwords for telephone 
access to CPNI, and customer and law enforcement notifications will limit 
pretexters’ ability to obtain unauthorized access to CPNI. 
II. COMPLIANCE REQUIREMENTS
A. Rule Requirements
Ų Safeguarding CPNI 
o Telecommunications carriers – a term which includes providers of interconnected 
VoIP service for the purposes of these rules – must take reasonable measures to 
discover and protect against attempts to gain unauthorized access to CPNI.
o Telecommunications carriers must properly authenticate a customer prior to 
disclosing CPNI based on customer-initiated telephone contact, online account 
access, or an in-store visit. [47 C.F.R. § 64.2010(a)]
Ų Password for online access to CPNI 
o A telecommunications carrier must authenticate a customer without the use of 
readily available biographical information, or account information, prior to 
allowing the customer online access to CPNI related to a telecommunications 
service account. 
o Once authenticated, the customer may only obtain online access to CPNI related 
to a telecommunications service account through a password that is not prompted 
4
by the carrier asking for readily available biographical information, or account 
information. [47 C.F.R. § 64.2010(c)]
Ų Password for telephone access to call detail information 
o Telecommunications carriers may only disclose call detail information over the 
telephone, based on customer-initiated telephone contact, if the customer first 
provides the carrier with a password that is not prompted by the carrier asking for 
readily available biographical information, or account information. 
o If the customer does not provide a password, the telecommunications carrier may 
only disclose call detail information by sending it to the customer's address of 
record, or by calling the customer at the telephone number of record. 
o If the customer is able to provide call detail information to the 
telecommunications carrier during a customer-initiated call without the 
telecommunications carrier's assistance, then the telecommunications carrier is 
permitted to discuss the call detail information provided by the customer. [47 
C.F.R. § 64.2010(b)]
Ų In-store access to CPNI
o A telecommunications carrier may disclose CPNI to a customer who, at a carrier's 
retail location, first presents to the telecommunications carrier or its agent a valid 
photo ID matching the customer's account information. [47 C.F.R. § 64.2010(d)]
Ų Opt-in/opt-out customer approval 
o A telecommunications carrier may, subject to opt-out approval or opt-in approval, 
use its customer's individually identifiable CPNI for the purpose of marketing 
communications-related services to that customer. 
o A telecommunications carrier may, subject to opt-out approval or opt-in approval, 
disclose its customer's individually identifiable CPNI, for the purpose of 
marketing communications-related services to that customer, to its agents and its 
affiliates that provide communications-related services.  
§ A telecommunications carrier may also permit such persons or entities to 
obtain access to such CPNI for such purposes. 
o Except for use and disclosure of CPNI that is permitted without customer 
approval, or as otherwise described in section 64.2007(b) or otherwise provided in 
section 222, a telecommunications carrier may only use, disclose, or permit access 
to its customer's individually identifiable CPNI subject to opt-in approval.
o A telecommunications carrier may obtain approval through written, oral or 
electronic methods.
5
§ A telecommunications carrier relying on oral approval shall bear the 
burden of demonstrating that such approval has been given in compliance 
with the Commission's rules in this part.
§ Approval or disapproval to use, disclose, or permit access to a customer's 
CPNI obtained by a telecommunications carrier must remain in effect until 
the customer revokes or limits such approval or disapproval. [47 C.F.R. § 
64.2007]
Ų Training and express disciplinary process in place 
o Telecommunications carriers must train their personnel as to when they are and 
are not authorized to use CPNI, and carriers must have an express disciplinary 
process in place. [47 C.F.R. § 64.2009(b)]
B. Notification Requirements
Ų Notification to law enforcement of breach 
o A telecommunications carrier shall notify law enforcement of a breach of its 
customers' CPNI.  The carrier shall not notify its customers or disclose the breach 
publicly, whether voluntarily or under state or local law or the Commission’s 
rules, until it has completed the process of notifying law enforcement.
o As soon as practicable, and in no event later than seven business days, after
reasonable determination of the breach, the telecommunications carrier shall 
electronically notify the United States Secret Service (USSS) and the Federal 
Bureau of Investigation (FBI) through a central reporting facility.  The 
Commission will maintain a link to the reporting facility at 
http://www.fcc.gov/eb/cpni.
§ Notwithstanding any state law to the contrary, the carrier shall not notify 
customers or disclose the breach to the public until seven full business 
days have passed after notification to the USSS and the FBI, except as 
provided below.
§ If the carrier believes that there is an extraordinarily urgent need to notify 
any class of affected customers sooner than otherwise allowed, in order to 
avoid immediate and irreparable harm, it shall so indicate in its 
notification and may proceed to immediately notify its affected customers 
only after consultation with the relevant investigating agency.  
· The carrier shall cooperate with the relevant investigating agency's 
request to minimize any adverse effects of such customer 
notification.
6
§ If the relevant investigating agency determines that public disclosure or 
notice to customers would impede or compromise an ongoing or potential 
criminal investigation or national security, such agency may direct the 
carrier not to so disclose or notify for an initial period of up to 30 days.  
Such period may be extended by the agency as reasonably necessary in the 
judgment of the agency. 
§ If such direction is given, the agency shall notify the carrier when it 
appears that public disclosure or notice to affected customers will no 
longer impede or compromise a criminal investigation or national security. 
· The agency shall provide in writing its initial direction to the 
carrier, any subsequent extension, and any notification that notice 
will no longer impede or compromise a criminal investigation or 
national security and such writings shall be contemporaneously 
logged on the same reporting facility that contains records of 
notifications filed by carriers. [47 C.F.R. § 64.2011(a)-(b)]
Ų Notification to customer of breach 
o After a telecommunications carrier has completed the process of notifying law 
enforcement, it shall notify its customers of a breach of those customers' CPNI.  
[47 C.F.R. § 64.2011(c)]
Ų Notification of account changes 
o Telecommunications carriers must notify customers immediately whenever a 
password, customer response to a back-up means of authentication for lost or 
forgotten passwords, online account, or address of record is created or changed.  
This notification is not required when the customer initiates service, including the 
selection of a password at service initiation. 
o This notification may be through a carrier-originated voicemail or text message to 
the telephone number of record, or by mail to the address of record, and must not 
reveal the changed information or be sent to the new account information. [47 
C.F.R. § 64.2010(f)]
7
Ų Notification before use of CPNI 
o Notification generally 
§ Prior to any solicitation for customer approval, a telecommunications 
carrier must provide notification to the customer of the customer's right to 
restrict use of, disclosure of, and access to that customer's CPNI.
§ Individual notice to customers must be provided when soliciting approval 
to use, disclose, or permit access to customers' CPNI. [47 C.F.R. § 
64.2008]
o Content of Notice
§ Customer notification must provide sufficient information to enable the 
customer to make an informed decision as to whether to permit a carrier 
to use, disclose, or permit access to, the customer's CPNI.
· The notification must state that the customer has a right, and the 
carrier has a duty, under federal law, to protect the confidentiality 
of CPNI.
· The notification must specify the types of information that 
constitute CPNI and the specific entities that will receive the 
CPNI, describe the purposes for which CPNI will be used, and 
inform the customer of his or her right to disapprove those uses, 
and deny or withdraw access to CPNI at any time.
· The notification must advise the customer of the precise steps the 
customer must take in order to grant or deny access to CPNI, and 
must clearly state that a denial of approval will not affect the 
provision of any services to which the customer subscribes.  
o However, carriers may provide a brief statement, in clear 
and neutral language, describing consequences directly 
resulting from the lack of access to CPNI.
· The notification must be comprehensible and must not be 
misleading.
· If written notification is provided, the notice must be clearly 
legible, use sufficiently large type, and be placed in an area so as to 
be readily apparent to a customer.
· If any portion of a notification is translated into another language, 
then all portions of the notification must be translated into that 
language.
8
· A carrier may state in the notification that the customer's approval 
to use CPNI may enhance the carrier's ability to offer products and 
services tailored to the customer's needs.  
o A carrier also may state in the notification that it may be 
compelled to disclose CPNI to any person upon affirmative 
written request by the customer.
· A carrier may not include in the notification any statement 
attempting to encourage a customer to freeze third-party access to 
CPNI.
· The notification must state that any approval, or denial of approval 
for the use of CPNI outside of the service to which the customer 
already subscribes from that carrier is valid until the customer 
affirmatively revokes or limits such approval or denial.
· A telecommunications carrier's solicitation for approval must be 
proximate to the notification of a customer's CPNI rights. [47 
C.F.R. § 64.2008]
o Notice Requirements Specific to Opt-Out 
§ A telecommunications carrier must provide notification to obtain opt-out 
approval through electronic or written methods, but not by oral 
communication, except as allowed for notice requirements specific to one-
time use of CPNI. 
§ Carriers using the opt-out mechanism must provide notices to their 
customers every two years.
§ Waiting periods:
· Carriers must wait for a minimum of 30 days after giving 
customers notice and an opportunity to opt-out before assuming 
customer approval to use, disclose, or permit access to CPNI.  
o A carrier may, in its discretion, provide for a longer period.  
· Carriers must notify customers as to the applicable waiting period 
for a response before approval is assumed.
o In the case of an electronic form of notification, the 
waiting period shall begin to run from the date on which 
the notification was sent; and
o In the case of notification by mail, the waiting period shall 
begin to run on the third day following the date that the 
notification was mailed.
9
§ E-mail notifications:
· Telecommunications carriers that use e-mail to provide opt-out 
notices must comply with the following requirements in addition to 
the requirements generally applicable to notification:
o Carriers must obtain express, verifiable, prior approval 
from consumers to send notices via e-mail regarding their 
service in general, or CPNI in particular;
o Carriers must allow customers to reply directly to e-
mails containing CPNI notices in order to opt-out;
o Opt-out e-mail notices that are returned to the carrier as 
undeliverable must be sent to the customer in another form 
before carriers may consider the customer to have received 
notice;
o Carriers that use e-mail to send CPNI notices must ensure 
that the subject line of the message clearly and accurately 
identifies the subject matter of the e-mail; and
o Telecommunications carriers must make available to every 
customer a method to opt-out that is of no additional cost to 
the customer and that is available 24 hours a day, seven 
days a week
§ Carriers may satisfy this requirement through a 
combination of methods, so long as all customers 
have the ability to opt-out at no cost and are able to 
effectuate that choice whenever they choose. [47 
C.F.R. § 64.2008]
o Notice Requirements Specific to Opt-In
§ A telecommunications carrier may provide notification to obtain opt-in 
approval through oral, written, or electronic methods.  [47 C.F.R. § 
64.2008]
o Notice Requirements Specific to One-Time Use of CPNI
§ Carriers may use oral notice to obtain limited, one-time use of CPNI for 
inbound and outbound customer telephone contacts for the duration of the 
call, regardless of whether carriers use opt-out or opt-in approval based on 
the nature of the contact.
10
§ The contents of any such notification must comply with the content of 
notice requirements, except that telecommunications carriers may omit 
any of the following notice provisions if not relevant to the limited use for 
which the carrier seeks CPNI:
· Carriers need not advise customers that if they have opted-out 
previously, no action is needed to maintain the opt-out election;
· Carriers need not advise customers that they may share CPNI with 
their affiliates or third parties and need not name those entities, if 
the limited CPNI usage will not result in use by, or disclosure to, 
an affiliate or third party;
· Carriers need not disclose the means by which a customer can 
deny or withdraw future access to CPNI, so long as carriers explain 
to customers that the scope of the approval the carrier seeks is 
limited to one-time use; and
· Carriers may omit disclosure of the precise steps a customer must 
take in order to grant or deny access to CPNI, as long as the carrier 
clearly communicates that the customer can deny access to his 
CPNI for the call. [47 C.F.R. § 64.2008]
C. Recordkeeping Requirements
Ų Establishing a password 
o To establish a password, a telecommunications carrier must authenticate the 
customer without the use of readily available biographical information, or account 
information.  
§ Telecommunications carriers may create a back-up customer 
authentication method in the event of a lost or forgotten password, but 
such back-up customer authentication method may not prompt the 
customer for readily available biographical information, or account 
information.
o If a customer cannot provide the correct password or the correct response for the 
back-up customer authentication method, the customer must establish a new 
password. [47 C.F.R. § 64.2010(e)]
11
Ų Records related to breaches 
o All carriers shall maintain a record, electronically or in some other manner, of any 
breaches discovered, notifications made to the USSS and the FBI, and 
notifications made to customers. The record must include, if available, dates of 
discovery and notification, a detailed description of the CPNI that was the subject 
of the breach, and the circumstances of the breach. 
o Carriers shall retain the record for a minimum of two years. [47 C.F.R. § 
64.2011(d)]
Ų Records of approval 
o A telecommunications carrier must maintain records of customer approval for use 
of CPNI, whether oral, written, or electronic, for at least one year. [47 C.F.R. § 
64.2007(a)(3)]
Ų Records of notification 
o A telecommunications carrier must maintain records of customer notification of 
the customers’ right to restrict use of CPNI, whether oral, written, or electronic, 
for at least one year. [47 C.F.R. § 64.2008(a)(2)]
Ų Records of marketing campaigns using CPNI
o All carriers shall maintain a record, electronically or in some other manner, of 
their own and their affiliates' sales and marketing campaigns that use their 
customers' CPNI.  All carriers shall maintain a record of all instances where CPNI 
was disclosed or provided to third parties, or where third parties were allowed 
access to CPNI. 
o The record must include a description of each campaign, the specific CPNI that 
was used in the campaign, and what products and services were offered as a part 
of the campaign. 
o Carriers shall retain the record for a minimum of one year. [47 C.F.R. § 
64.2009(c)]
12
Ų Records of supervisory review process
o Telecommunications carriers must establish a supervisory review process 
regarding carrier compliance with the rules for outbound marketing situations and 
maintain records of carrier compliance for a minimum period of one year. 
Specifically, sales personnel must obtain supervisory approval of any proposed 
outbound marketing request for customer approval. [47 C.F.R. § 64.2009(d)]
D. Filing Requirements
Ų Compliance certification – March 1 (annually)
o A telecommunications carrier must have an officer, as an agent of the carrier, sign 
and file with the Commission a compliance certificate on an annual basis.  The 
officer must state in the certification that he or she has personal knowledge that 
the company has established operating procedures that are adequate to ensure 
compliance with the Commission’s CPNI rules.
o The carrier must provide a statement accompanying the certificate explaining how 
its operating procedures ensure that it is or is not in compliance with the 
Commission’s CPNI rules. [47 C.F.R. § 64.2009(e)]
§ The carrier must include an explanation of any actions taken against data 
brokers; and 
· Carriers should report on proceedings instituted or petitions filed 
by a carrier at either state commissions, the court system, or at the 
Commission against data brokers.  [EPIC CPNI Order]
§ a summary of all customer complaints received in the past year concerning 
the unauthorized release of CPNI. [47 C.F.R. § 64.2009(e)]
· For the summary of customer complaints, carriers must report on 
the number of customer complaints a carrier has received related to 
unauthorized access to CPNI, or unauthorized disclosure of CPNI, 
broken down by category of complaint, e.g., instances of improper 
access by employees, instances of improper disclosure to 
individuals not authorized to receive the information, or instances 
of improper access to online information by individuals not 
authorized to view the information.  
· Carriers must also report on any information that they have with 
respect to the processes pretexters are using to attempt to access 
CPNI, and what steps carriers are taking to protect CPNI. [EPIC 
CPNI Order]
13
o This filing must be made annually with the Enforcement Bureau on or before 
March 1 in EB Docket No. 06-36, for data pertaining to the previous calendar 
year. [47 C.F.R. § 64.2009(e)]
§ The Enforcement Bureau compliance certification guidance with a 
suggested template can be found at 
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-08-171A1.doc.
Ų Notice of failure of opt-out mechanism – five days 
o Carriers must provide written notice within five business days to the 
Commission of any instance where the opt-out mechanisms do not work properly, 
to such a degree that consumers' inability to opt-out is more than an anomaly.
§ The notice shall be in the form of a letter, and shall include the carrier's 
name, a description of the opt-out mechanism(s) used, the problem(s) 
experienced, the remedy proposed and when it will be/was implemented, 
whether the relevant state commission(s) has been notified and whether it 
has taken any action, a copy of the notice provided to customers, and 
contact information.
§ Such notice must be submitted even if the carrier offers other methods by 
which consumers may opt-out. [47 C.F.R. § 64.2009(f)]
III. COMPLIANCE DATES
Ų Dec. 8, 2007 – EPIC CPNI Order rules effective, including new sections 64.2010 
(passwords) and 64.2011 (law enforcement and customer notifications)
Ų June 8, 2008 – Small businesses must comply with the online customer authentication 
requirements of EPIC CPNI Order
Ų March 1 annually – Compliance certification filed with the Commission pursuant to 47 
C.F.R. § 64.2009(e) (see rules above)
IV. IMPORTANT DEFINITIONS
Ų Account information. "Account information" is information that is specifically connected 
to the customer's service relationship with the carrier, including such things as an account 
number or any component thereof, the telephone number associated with the account, or 
the bill's amount. [47 C.F.R. § 64.2003]
14
Ų Address of record. An "address of record," whether postal or electronic, is an address 
that the carrier has associated with the customer's account for at least 30 days. [47 
C.F.R. § 64.2003]
Ų Affiliate. The term “affiliate” means a person that (directly or indirectly) owns or 
controls, is owned or controlled by, or is under common ownership or control with, 
another person.  For purposes of this paragraph, the term “own” means to own an equity 
interest (or the equivalent thereof) of more than 10 percent. [47 C.F.R. § 64.2003]
Ų Breach. A "breach" has occurred when a person, without authorization or exceeding 
authorization, has intentionally gained access to, used, or disclosed CPNI. [47 C.F.R. § 
64.2011(e)]
Ų Call detail information. The term “call detail information” means any information that 
pertains to the transmission of specific telephone calls, including, for outbound calls, the 
number called, and the time, location, or duration of any call and, for inbound calls, the 
number from which the call was placed, and the time, location, or duration of any call. 
[47 C.F.R. § 64.2003]
Ų Carrier. See “telecommunications carrier,” below.
Ų Communications carrier. See “telecommunications carrier,” below.
Ų Communications-related services. The term "communications-related services" means 
telecommunications services, information services typically provided by 
telecommunications carriers, and services related to the provision or maintenance of 
customer premises equipment. [47 C.F.R. § 64.2003]
Ų CPNI. See “customer proprietary network information,” below.
Ų Customer. A customer of a telecommunications carrier is a person or entity to which the 
telecommunications carrier is currently providing service. [47 C.F.R. § 64.2003]
Ų Customer proprietary network information. 
o The term “customer proprietary network information” means—
§ information that relates to the quantity, technical configuration, type, 
destination, location, and amount of use of a telecommunications service 
subscribed to by any customer of a telecommunications carrier, and that is 
made available to the carrier by the customer solely by virtue of the 
carrier-customer relationship; and
§ information contained in the bills pertaining to telephone exchange service 
or telephone toll service received by a customer of a carrier;
15
§ except that such term does not include subscriber list information.  [47 
U.S.C. § 222(h)]
o Practically speaking, CPNI includes information such as the phone numbers 
called by a consumer; the frequency, duration, and timing of such calls; and any 
services purchased by the consumer, such as call waiting.  CPNI therefore 
includes some highly-sensitive personal information, but CPNI does not include 
subscriber list information. [47 C.F.R. § 64.2003]
Ų Customer premises equipment. The term “customer premises equipment” means 
equipment employed on the premises of a person (other than a carrier) to originate, route, 
or terminate telecommunications. [47 C.F.R. § 64.2003]
Ų Data broker. The term “data broker” means one who sells other individuals’ personal 
telephone records for a price.  [See EPIC CPNI Order]
Ų Information services typically provided by telecommunications carriers. The phrase 
"information services typically provided by telecommunications carriers" means only 
those information services that are typically provided by telecommunications carriers, 
such as Internet access or voice mail services.  Such phrase "information services 
typically provided by telecommunications carriers," as used in this subpart, shall not 
include retail consumer services provided using Internet Web sites (such as travel 
reservation services or mortgage lending services), whether or not such services may 
otherwise be considered to be information services.  [47 C.F.R. § 64.2003]
Ų Interconnected VoIP service. An interconnected Voice over Internet protocol (VoIP) 
service is a service that:
o enables real-time, two-way voice communications; 
o requires a broadband connection from the user's location; 
o requires Internet protocol-compatible customer premises equipment (CPE); and
o permits users generally to receive calls that originate on the public switched 
telephone network and to terminate calls to the public switched telephone 
network.  [47 C.F.R. §§ 9.3, 64.2003 (defining telecommunications carrier to 
include an entity that provides interconnected VoIP service)]
Ų Opt-in approval. The term "opt-in approval" refers to a method for obtaining customer 
consent to use, disclose, or permit access to the customer's CPNI.  This approval method 
requires that the carrier obtain from the customer affirmative, express consent allowing 
the requested CPNI usage, disclosure, or access after the customer is provided 
appropriate notification of the carrier's request consistent with the requirements set forth 
in this subpart. [47 C.F.R. § 64.2003]
16
Ų Opt-out approval. The term "opt-out approval" refers to a method for obtaining customer 
consent to use, disclose, or permit access to the customer's CPNI.  Under this approval 
method, a customer is deemed to have consented to the use, disclosure, or access to the 
customer's CPNI if the customer has failed to object thereto within the waiting period
after the customer is provided appropriate notification of the carrier's request for consent 
consistent with the rules in this subpart. [47 C.F.R. § 64.2003]
Ų Pretexters. The term “pretexters” means individuals who obtain unauthorized access to 
CPNI, including what calls were made to and/or from a particular telephone number and 
the duration of such calls. [EPIC CPNI Order]
Ų Pretexting. The term “pretexting” means the practice of pretending to be a particular 
customer or other authorized person in order to obtain access to that customer’s call detail 
or other private communications records.  Pretexting is a criminal offense subject to fines 
and imprisonment under the Telephone Records and Privacy Protection Act of 2006. 
[EPIC CPNI Order]
Ų Readily available biographical information. "Readily available biographical information" 
is information drawn from the customer's life history and includes such things as the 
customer's social security number, or the last four digits of that number; mother's maiden 
name; home address; or date of birth. [47 C.F.R. § 64.2003]
Ų Small business. See “small entity,” below.
Ų Small entity. The Regulatory Flexibility Act generally defines the term “small entity” as 
having the same meaning as the terms “small business,” “small organization,” and “small 
governmental jurisdiction.”  The term “small business” has the same meaning as the term 
“small business concern” under the Small Business Act. A small-business concern shall 
be deemed to be one which is independently owned and operated and which is not 
dominant in its field of operation.  Moreover, the term “small entity” applies to small 
organizations (nonprofits) and to small governmental jurisdictions (cities, counties, 
towns, townships, villages, school districts, and special districts with populations of less 
than 50,000).  Generally for service providers, this means, among other requirements, 
that the business has 1500 or fewer employees.  However, what qualifies as a small 
business varies greatly with the type of business.  [EPIC CPNI Order, appendix C]
Ų Subscriber list information. The term “subscriber list information” means any 
information—
o identifying the listed names of subscribers of a carrier and such subscribers' 
telephone numbers, addresses, or primary advertising classifications (as such 
classifications are assigned at the time of the establishment of such service), or 
any combination of such listed names, numbers, addresses, or classifications; and
o that the carrier or an affiliate has published, caused to be published, or accepted 
for publication in any directory format. [47 U.S.C. § 222(h)]
17
Ų Telecommunications carrier. “Telecommunications carrier,” “communications carrier,” 
and “carrier” means any provider of telecommunications services, except that such term 
does not include aggregators of telecommunications services.  A telecommunications 
carrier shall be treated as a common carrier only to the extent that it is engaged in 
providing telecommunications services.  For the purpose of the Commission’s CPNI 
rules, the term "telecommunications carrier" or "carrier" shall include an entity that 
provides interconnected VoIP service.  [47 C.F.R. § 64.2003]
Ų Telecommunications service. The term “telecommunications service” means the offering 
of telecommunications for a fee directly to the public, or to such classes of users as to be 
effectively available directly to the public, regardless of the facilities used. [47 C.F.R. § 
64.2003]
Ų Telephone number of record. A “telephone number of record” is the telephone number 
associated with the underlying service, not the telephone number supplied as a customer's 
"contact information." [47 C.F.R. § 64.2003]
Ų Valid Photo ID. A "valid photo ID" is a government-issued means of personal 
identification with a photograph such as a driver's license, passport, or comparable ID 
that is not expired. [47 C.F.R. § 64.2003]
V. WEB LINKS
FCC 07-22 (EPIC CPNI Order), 22 FCC Rcd 6927 (2007): 
http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.pdf
DA 07-4915 (establishing effective dates for EPIC CPNI Order): 
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-07-4915A1.pdf
FCC 02-214 (2002 CPNI Order), 17 FCC Rcd 14860 (2002): 
http://hraunfoss.fcc.gov/edocs_public/attachmatch/FCC-02-214A1.pdf
DA 08-171 (providing guidance for annual CPNI compliance certifications)
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-08-171A1.pdf  
http://hraunfoss.fcc.gov/edocs_public/attachmatch/DA-08-171A1.doc