As a telecommunications carrier, we collect and maintain Customer Proprietary Network Information, or "CPNI.” CPNI is information generated by the telecommunications services we provide to our customers. This includes subscription information (like rate plan and features), usage information (like call logs—including date, time, phone numbers called, and duration of calls), and billing information related to the services. CPNI does not include customers’ names, addresses, or phone numbers—we do, nonetheless, treat that information with care.
We’ve implemented policies and procedures to help ensure our compliance with the CPNI rules adopted by the Federal Communications Commission (FCC), and we continually review our compliance. We also certify our compliance to the FCC annually. The bottom line is that we will not intentionally use, access, or disclose your CPNI to third parties without your permission, except as allowed under the FCC’s rules or other applicable law. Where applicable—based on brand and account type—if you are the primary account holder you may designate other "authorized users" to access and manage your account information. In that case, your authorized users will also be provided access to all the CPNI associated with your account—not just the line they are using. For more information about authorized users’ permissions please visit T-Mobile Support.
The FCC’s rules are complex. To help you understand why we do things the way we do, we’ve outlined a few key requirements and described how we address them in practice.
Carriers are prohibited from releasing call details during customer-initiated telephone contacts, except when the customer has previously established a password for their account. Otherwise, carriers can only release call details by sending it to an address of record or by calling the customer at the telephone number of record.
- Except for T-Mobile Puerto Rico, our policy is not to disclose call details over the telephone in response to customer-initiated calls. T-Mobile Puerto Rico may disclose call details over the telephone in response to a customer-initiated call, but only after verifying the customer’s account password and a one-time-use Personal Identification Number (or “PIN”) sent to the customer’s device via SMS text message during the call.
Carriers must provide mandatory password protection for online account access.
- We provide online account access to CPNI only with a password that is initially established through use of a randomly generated PIN delivered to the customer via SMS text message. Where applicable (based on brand and account type), for multi-line accounts the customer may designate himself/herself as the primary account holder, which gives that person access to online account information for all the devices/lines on the account. Other users may access detailed online account information related only to their respective device/line. For example, if you provide a phone to a family member, they may access online information about that device/line—including CPNI. The primary account holder, however, may designate additional or more limited online access rights for other users. Different rules may apply to T-Mobile for Business accounts. For more information on how to set up line permissions visit T-Mobile Support.
Carriers may provide CPNI to customers in a retail location with a valid government issued photo ID.
- For post-paid accounts, we require a valid government-issued photo ID matching the customer or authorized user’s account information prior to disclosing CPNI during a visit to a retail store. We utilize a customer-established PIN for authentication of pre-paid accounts at retail locations.
Carriers must notify their customers when a password, address, and certain other account changes occur.
- We provide notice whenever, among other changes, a password, back-up question and response, online account, or address of record is created or changed. The notices do not include or reveal the changed information.
- These notices are sent to the customer’s or authorized user’s number of record, although in some cases we may mail notice to an address that has been associated with the customer’s account for at least 30 days (except for accounts activated within the last 30 days, in which case the notice is sent to the address provided at account activation).
Carriers must establish a notification process for both law enforcement and customers in the event of a CPNI breach. Specifically, carriers must notify the United States Secret Service (“USSS”) and the Federal Bureau of Investigation (“FBI”) after discovering a breach of CPNI.
- We notify law enforcement as soon as practicable, but in no event later than seven (7) business days, after we determine that a breach of a customer’s CPNI has occurred. Similarly, in most cases we notify customers of the breach no sooner than the eighth business day following completion of the notice to law enforcement unless directed by the U.S. Secret Service or the FBI not to so disclose or notify customers. We may extend the period for customer notification pursuant to a written request of a relevant law enforcement agency.
We are committed to protecting our customers’ CPNI and complying with the FCC’s CPNI rules. Questions and/or concerns may be directed to firstname.lastname@example.org. The FCC’s CPNI Rules are codified in 47 C.F.R. § 64.2001 et seq.