The Federal Communications Commission (FCC) requires all telecommunications carriers and interconnected VoIP providers to file their Annual Customer Proprietary Network Information (CPNI) Certifications no later than March 3, 2025. This certification confirms compliance with the FCC’s strict privacy and security rules governing the handling and protection of customer data throughout the prior calendar year.
All affected service providers must file, failure to comply may result in FCC enforcement action, including significant monetary penalties.
CPNI Certification Filing Requirements
Who Must File?
All telecommunications carriers and interconnected VoIP providers must file FCC Form CPNI Certification detailing their CPNI compliance practices, any data security breaches, and actions taken against data brokers. Even if a provider does not actively use, disclose, or grant access to CPNI, they are still required to file an affirmative statement confirming compliance.
What is CPNI?
CPNI includes sensitive customer information related to their telecommunications services, including:
- Call records (phone numbers dialed, call duration, and frequency)
- Location data (when a mobile device is in use)
- Billing details and service usage (such as voicemail, call waiting, or additional features)
Service providers must ensure adequate safeguards are in place to protect against unauthorized access, disclosure, or misuse of CPNI.
Certification Requirements
A valid CPNI Certification must:
- Be signed by a corporate officer (under penalty of perjury) attesting to compliance with the FCC’s rules.
- Describe internal CPNI policies and procedures to prevent unauthorized use or disclosure.
- Include details of any CPNI-related breaches, complaints, or enforcement actions.
- Confirm whether the company has taken any action against data brokers and, if not, include an affirmative statement attesting to that fact.
FCC Enforcement & Potential Penalties
Failure to file timely or comply with CPNI rules may result in severe FCC penalties, including:
- Fines of up to $$251,322 per violation per day, with a maximum penalty of $2,513,215 .
- Criminal penalties for false statements under Title 18 of the U.S. Code.
Heightened scrutiny from the FCC Enforcement Bureau, which has repeatedly emphasized that failure to file a timely and complete certification calls into question whether a company has complied with the rules requiring it to protect the privacy and security of customers’ sensitive information.
Key Steps for Compliance Before the March 3 Deadline
Review & Update Internal CPNI Policies
- Ensure your company has clear, enforceable procedures to protect CPNI.
- Train employees on when and how they are authorized to use or disclose CPNI.
Conduct a Compliance Audit
Review whether your company has:
- Obtained customer consent for CPNI use.
- Provided customers with notification of their right to restrict CPNI use.
- Implemented reasonable safeguards to detect and prevent unauthorized access.
- Complied with FCC breach notification requirements in the event of a security incident.
Prepare & File Your CPNI Certification
- Ensure the filing officer fully understands the certification statement before signing.
- Submit a complete and accurate certification to the FCC before the Saturday, March 3 deadline.
How We Can Help
Navigating CPNI compliance can be challenging, but our firm is here to assist. We offer:
- CPNI Compliance Reviews – Ensuring your company meets all FCC requirements.
- Drafting & Filing Assistance – We can help prepare and submit your CPNI Certification on time.
- Employee Training – Providing tailored training to ensure your personnel fully understand CPNI obligations and best practices.
If you need assistance or have further questions, contact the attorney assigned to your account or directly contact members of The CommLaw Group’s Privacy and Data Security practice group:
Susan Duarte: 703-714-1318 | sfd@commlawgroup.com
Diana James: (703) 663-6757| daj@commlawgroup.com
