Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Restricting Your Cell Carrier’s Use of Your CPNI Data

I recently received a message from AT&T, my cellular service provider, alerting me to the fact that I could restrict AT&T from using my “customer proprietary network information” (CPNI) within the AT&T family of companies for AT&T’s own marketing purposes. The message was plainly written yet utterly inscrutable. For instance, it defines CPNI as including:

“the types of telecommunications and interconnected VoIP services you currently purchase, how you use them and the related billing for those services. CPNI does not include your telephone number, your name, or your address.”

It’s reassuring to know that CPNI does not include your telephone number, name, or address, but the phrase “how you use them” is as clear as mud. In its CPNI privacy policy, AT&T provides a little more information, such as the fact that “calling details” are also part of CPNI.

Confused, I turned to Geoff Duncan, who has written extensively on telecommunications and data privacy issues for TidBITS over the years. He explained that CPNI originally referred to anything that might appear on your bill, but now varies widely by service and carrier. With cellular carriers, it might include your data plan and usage, device info, location history, Web browsing history, and even demographic information.

What is CPNI used for? AT&T says that it “does not sell CPNI to unaffiliated third parties,” and another page about CPNI clarifies just which companies qualify as being able to use this information — there are a lot:

“The AT&T family of companies are those AT&T companies that provide communications-related products and/or services, including the AT&T local and long distance companies, AT&T Corp., AT&T Long Distance, AT&T Internet Services, AT&T Mobility and other subsidiaries or affiliates of AT&T Inc. that provide, design, market or sell these products and/or services.”

Geoff said that the FCC’s original regulatory framework was intended to prevent two practices. The first is uncompetitive upselling, which could happen if a telco used its CPNI to tweak pricing for additional services for a particular customer in ways that competitors couldn’t match, for instance. The second, “pretexting,” prevents CPNI from being purchased by an outside party that would then pretend to be the phone company in order to get a customer to disclose or do something they wouldn’t otherwise.

The most recent changes to the CPNI legislation were back in 2007, but Geoff said that AT&T started notifying customers about the company’s use of CPNI in 2012. Indeed, when I searched through my email archives on “CPNI,” there was just one hit, an identically worded message from AT&T, sent in August 2012.

Are there any actual abuses of CPNI? Yes. Additional research revealed, among many other stories at the Electronic Privacy Information Center (EPIC), that in 2014 Verizon paid a $7.4 million fine for using CPNI for marketing purposes without informing customers. Worse, AT&T had to pay a $25 million fine in 2015 for disclosing personal information (and misusing CPNI data) for almost 280,000 of its U.S. customers, thanks to crooks paying off employees in three AT&T call centers in Mexico, Colombia, and the Philippines to unlock stolen and/or grey market phones.

It’s important to realize that restricting a carrier from using your CPNI doesn’t prevent it from being collected, so opting out might not prevent such information from being swept up in data breaches like AT&T’s, but it certainly can’t hurt. Regardless, the fact that the FCC felt it was important to require telcos to offer such an opt-out makes me think it’s worth doing.

Restricting AT&T from using CPNI isn’t difficult, but it does require information you may not have handy. Follow these steps (or you can use a voice-response system at 800-315-8303 or talk to a person at 800-288-2020):

  1. Go to (Amusingly, the link underneath the associated text in the email message used a tracking link, which makes me wonder if a click on it would become part of my CPNI.)

  2. Enter your account number or customer ID and billing ZIP code, select Restrict Use of My CPNI, and click Submit.

    The tricky part here is getting your account number, which is most easily found on your bill or by logging in to AT&T’s site and looking in your profile. AT&T says it’s also available on the CPNI notice, which isn’t true — you can see my notice above, and there’s no ID on it.

What about other carriers and other types of personal information that’s gathered and potentially shared or sold? A page in the MIT Information Systems & Technology Knowledge Base offers links to opt out of these and other programs at AT&T, Verizon Wireless, and Sprint. I’d encourage everyone to explore those links — I discovered that although our phone numbers were opted out of AT&T’s “External Marketing & Analytics Reports,” they were still set to receive “Relevant Advertising — Wireless,” whatever that is. MIT’s page says that T-Mobile does not sell CPNI, which seems to match with T-Mobile’s CPNI page.

Personally, I’m not particularly perturbed to have my information used when businesses offer me products or services. However, if this information is so valuable, why do companies get to collect it (from services we’re paying for!) and use it for free? Wouldn’t it be interesting to put personal information into a marketplace, where you would get to say for what purposes it could be purchased, and for how much? Some Italian researchers did a study on the economics of personal data back in 2014, and there’s even a firm called Handshake aiming to do this, but it has been in closed beta since 2013, which isn’t a good sign. Still, food for thought…


Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <>

Comments about Restricting Your Cell Carrier’s Use of Your CPNI Data
(Comments are closed.)

John Robinson  An apple icon for a TidBITS Supporter 2016-03-25 16:21
I received the same letter. I clicked on the link to opt out. Once I filled in the info and clicked opt out, the page refused to accept my opt out. I wound up calling the number and speaking w two operators, the second said she would opt out for me.

Do you think they will do as I request, or just laugh hysterically as I hung up.
Adam Engst  An apple icon for a TidBITS Staffer 2016-03-25 16:45
Boo on them! I'd take them at their word; you can always call back and check the status, if you have time to kill.

The form worked fine for me, happily.
Dave Nelson  2016-03-28 07:59
The form did not work for me either, it gave an error that suggested the process was currently unavailable.
Kimberly Andrew  An apple icon for a TidBITS Supporter 2016-03-26 16:16
Thanks for the link to the MIT site. I followed the instructions and discovered that Verizon had added a new CPNI: Business and Marketing Insights program. I turned that off. Guess I need to check things on a regular basis to see what else they quietly add.
Is there any other way to check CPNI status that calling? I quickly perused my account setting and didn't see anything. But they are not easy to check.

Here's the confirmation I got:

AT&T respects your privacy.

Your request has been sent for processing.

Thank you for contacting AT&T.

Will it be processed? Who knows?
Gene Beach  2016-04-04 17:03
Except that when trying to reach them it seems impossible. I have yet to find the way to opt out. I also, having had my home phone which wireless on vacation status even though I still have to pay the monthly bill, I had it reactivated by a person called Diego, I still cannot call out on the home phone. I am ready to opt out of A T & T altogether and find another carrier. If anyone reaches them you can tell them I am NOT HAPPY WITH THEIR SERVICE.