CHARLES E. GRASSLEY. IOWA, CHAIRMAN 
ORRIN G. HATCH, UTAH PATAICKJ. LEAHY. VERMONT 
JEFF SESSIONS, ALABAMA DIANNE FEINSTEIN, CALIFORNIA 
LINOSEY 0. GRAHAM, SOUTH CAROLINA CHARLES E SCHUMER, NEW YORK 
JOHN CORNYN, TCXAS RICHARD J. DURBIN, ILLINOIS 
MICHAELS LEE, UTAH SHELDON WHITEHOUSE. RHODE ISLAND 
TED CRUZ, TEXAS AMY KLOBUCHAR. MINNESOTA 
JEFF FLAKE, ARIZONA AL FRANKEN, MINNESOTA 
DAVID VITTER, LOUISIANA CHRISTOPHER A. COONS, DELAWARE 
DAVID A. PERDUE, GEORGIA RICHARD BLUMENTHAL, CONNECTICUT 
THOM TllllS. NORTH CAROLINA 
Km AN L 0Av•"· Clliof Counsel and Staff Director 
KRISTIN[ J. Lucius, Democratic Chitif Counsel arJd Scalf Director 
ilnit£d ~rates ~rnat£ 
COMMITTEE ON THE JUDICIARY 
WASHINGTON, DC 20510-6275 
January 29, 2016 
Chairman Tom Wheeler 
Federal Communications Commission 
445 12th Street, SW 
Washington, DC 20554 
Dear Chairman Wheeler: 
I write with questions regarding the Federal Communication Commission (FCC) and what some 
have described as its problematic and overreaching actions regarding consumer privacy regulation 
of broadband providers. 
As you know, following the FCC's controversial Title II Order of February 2015, the FCC's 
Enforcement Bureau issued an enforcement advisory regarding consumer privacy on May 20th, 
2015. In the advisory, the Enforcement Bureau purported to "provide[] guidance to broadband 
providers about how [it] intend[ ed] to enforce Section 222" of the Communications Act, which 
requires telecommunications carriers to protect customer proprietary network information (CPNI). 
The Bureau specified that it "intends to focus on whether broadband providers are taking 
reasonable, good-faith steps, to comply with Section 222." It also contemplated "further guidance 
and/or adoption of regulations applying Section 222" to broadband. 
As Chairman, you have indicated that the FCC was in the process of commencing a rulemaking to 
establish concrete rules with respect to consumer privacy. In June 2015 speech, you suggested that 
that the Commission ''committed in the [Title II Order] to address issues of privacy implicated by 
consumers' use of the Internet" and that the FCC "will begin that process with a Notice of Proposed 
Rulemaking in the autumn." You also said in a November interview that the FCC would act on 
privacy within the "next several months." With the autumn behind us and the winter deadline 
approaching, I can only assume that the FCC is still contemplating a rulemaking with respect to 
broadband privacy. 
It is not clear that the FCC has the authority to police consumer privacy in the manner 
contemplated. However, given this background, I would responses to the following questions: 
58
1. The enforcement advisory states that "the Enforcement Bureau intends to focus on whether 
broadband providers are taking reasonable, good-faith steps, to comply with Section 222, 
rather than focusing on teclmical details." 
a. What specifically does the FCC consider to be "reasonable, good-faith steps"? 
b. What specific legal standard does the FCC apply in determining whether a 
broadband provider's activity to protect consumer privacy is "reasonable"? 
c. What specific actions by a broadband provider would the FCC consider mere 
"technical details"? 
d. I-low does the FCC define CPNI as used in Section 222? Is it coterminous with 
personal identifiable information (PII)? If not, how does CPNI under Section 222 
differ from PII in the eyes of the FCC? What does the FCC believe is its legal 
authority with respect to the protection of PII? 
2. How many investigations or i11quiries regarding the privacy practices of broadband 
providers were commenced after release of the Title II Order? 
a. How many remain open? 
L Please provide me with: 
I. A list of providers currently under investigation 
2. For each such provider, a description of the alleged conduct that led 
the agency to initiate an investigation 
3. A list of providers involved in investigations tl1at were closed, and 
4. For each such provider, a description of the conduct under 
investigation and the resolution. 
3. 011November5, 2015, the FCC entered into a settlement with Cox Communications, Inc., 
following a data breach suffered by Cox. This was widely regarded as the FCC's first 
privacy and data-security enforcement action against a cable operator. As a condition of 
settlement, the FCC required Cox to pay a penalty of $595,000 and to adopt a 
comprel1ensive compliance prograin, including system audits and breach notification 
systems. 
a. Is it the FCC's view that the PII of Cox's broadband customers is currently covered 
by the Title II Order as interpreted by the May enforcement advisory? 
b. Were the Cox investigation and settlement undertaken solely pursuant to the 
Enforcement Bureau's asserted authority under the Title II Order as interpreted by 
the May enforcement advisory? 
c. If not, wl1at was the specific legal authority for the Cox investigation and 
settleme11t? 
4. You have said repeatedly that the FCC plans to propose rules pursuant to Section 222 that 
would impose privacy-related requirements on broadband providers, as contemplated by 
the Title II Order. 
a. Do you expect to circulate to your colleagues a notice of proposed rulemaking? If 
so, \Vhen? 
b. Which bureaus and offices within the FCC are participating in the drafting process? 
1. Are you also consulting or coordinating witl1 executive agencies or other 
independent agencies within the Federal government? If so, which one(s)? 
In addition to your prompt response, I request that you brief my staff on any proposed rules under 
consideration, including the status of and the legal authority for any rulema.king. I appreciate your 
attention to this matter, in strict accordance with all existing agency rules, regulations, and ethical 
guidelines. 
-
Chairman 
Subcommittee Privacy, Technology and the Law 
cc Mignon Clyburn, Commissioner 
Jessica Rosenworcel, Commissioner 
Ajit Pai, Commissioner 
Michael O'Reilly, Commissioner 
JEFF FLAKE 
SR 413 RussrLL SrNATE Orne~ Bu1101NC\ 
(2021224-4521 
COMMITTEE ON FOREIGN RELATIONS 
COMMITTEE ON 
ENERGY AND NATURAL RESOURCES 
COMMITTEE ON THE JUDICIARY 
COMMITTEE ON AGING 
Chairman Tom Wheeler 
United rStatcs ~cnatc 
WASHINGTON, DC 20510-0305 
March 4, 2016 
STA TE OFFICES 
2200 EAST CAMELBACK ROAD 
SUITE 120 
PHOENIX, AZ. 85016 
(6021840 1891 
6840 NORTH ORACLE ROAD 
SUITE 150 
TUCSON, AZ. 85704 
(5:101 575 $33 
Federal Communications Commission 
445 12th Street, SW 
Washington, DC 20554 
Dear Chairman Wheeler: 
I write to follow up on my letter to you from January 29, 2016. As you recall this letter regarded 
the FCC's proposed consumer-privacy regulation of broadband providers under the FCC's 
controversial Title II Order. 
In my letter I requested answers to the fo llowing questions: 
1. The [FCC's May 20, 2015] enforcement advisory states that "the Enforcement Bureau 
intends to focus on whether broadband providers are talcing reasonable, good-faith steps, 
to comply with Section 222, rather than focusing on technical details." 
a. What specifically does the FCC consider to be "reasonable, good-faith steps"? 
b. What specific legal standard does the FCC apply in determining whether a 
broadband provider's activity to protect consumer privacy is "reasonable"? 
c. What specific actions by a broadband provider would the FCC consider mere 
"technical details"? 
d. How does the FCC define CPNI as used in Section 222? Is it coterminous with 
personal identifiable information (PII)? If not, how does CPNI under Section 222 
differ from PII in the eyes of the FCC? What does the FCC believe is its legal 
authority with respect to the protection of PII? 
2. How many investigations or inquiries regarding the privacy practices of broadband 
providers were commenced after release of the Title II Order? 
a. How many remain open? 
1. Please provide me with: 
I. A list of providers currently under investigation 
2. For each such provider, a description of the alleged conduct that 
led the agency to initiate an investigation 
3. A list of providers involved in investigations that were closed, and 
4. For each such provider, a description of the conduct under 
investigation and the resolution 
http.//www.senalo gov/Flake 
PRINTED ON RECYCLED PAPER 
16-162
3. On November 5, 2015, the FCC entered into a settlement with Cox Communications, 
Inc., following a data breach suffered by Cox. This was widely regarded as the FCC's 
first privacy and data-security enforcement action against a cable operator. As a condition 
of settlement, the FCC required Cox to pay a penalty of $595,000 and to adopt a 
comprehensive compliance program, including system audits and breach notification 
systems. 
a. Is it the FCC's view that the PII of Cox's broadband customers is currently 
covered by the Title 11 Order as interpreted by the May enforcement advisory? 
b. Were the Cox investigation and settlement undertaken solely pursuant to the 
Enforcement Bureau' s asserted authority under the Title II Order as interpreted by 
the May enforcement advisory? 
c. If not, what was the specific legal authority for the Cox investigation and 
settlement? 
4. You have said repeatedly that the FCC plans to propose rules pursuant to Section 222 that 
would impose privacy-related requirements on broadband providers, as contemplated by 
the Title II Order. 
a. Do you expect to circulate to your colleagues a notice of proposed rulemaking? If 
so, when? 
b. Which bureaus and offices within the FCC are participating in the drafting 
process? 
L Are you also consulting or coordinating with executive agencies or other 
independent agencies within the Federal government? If so, which one(s)? 
I also requested that you brief my staff on any and all proposed rules under consideration, 
including the status of and the legal authority for any rulemaking. 
While my letter asked for a "prompt response," it did not include a deadline for either your 
answers or the staff briefing. More than a month has passed without any response from you or 
the FCC. You have, however, told the Senate Commerce Committee this week that you expect to 
act on the proposed rulemaking "very soon, and that includes this month." 
I am therefore requesting that you provide answers to my questions by March 18, 2016. Given 
your stated intention to move forward on the rulemaking this month, I would now request that 
you meet with me in person to explain your proposal. If you are unable to comply with these 
requests, please provide me a specific explanation as to why you cannot by March 18, 2016. 
Sincerely, 
Senator Jeff Flake 
Chairman 
-
Subcommittee on Privacy, Technology and the Law