Beyond CPNI: Sixth Circuit Confirms FCC’s § 201(b) Power to Regulate PII Breach Reporting and Narrows the CRA “Substantially-the-Same” Bar

Introduction

In Ohio Telecom Association v. FCC, Nos. 24-3133/3206/3252 (6th Cir. Aug. 13, 2025), the United States Court of Appeals for the Sixth Circuit denied three consolidated petitions challenging the Federal Communications Commission’s 2024 Data-Breach Reporting Order. The Order obliges common carriers and Telecommunications Relay Service (TRS) providers to notify law-enforcement agencies, the FCC, and customers when “covered data”—now including personally identifiable information (PII)—is breached.

Petitioners—four large trade associations—argued that (1) section 222 of the Communications Act does not authorize PII regulation; (2) section 201(b) cannot be stretched to cover data privacy; and (3) Congress’s 2017 Congressional Review Act (CRA) disapproval of the FCC’s 2016 Broadband Privacy Order permanently barred any similar rule. Writing for the court, Judge Jane B. Stranch (joined by Judge Mathis) rejected all three propositions. Judge Griffin dissented on the statutory and CRA questions but joined the jurisdictional analysis.

Summary of the Judgment

• Statutory Authority: The court held that section 222(a) does not empower the FCC to regulate PII but that section 201(b) does. The majority reasoned that a carrier’s failure to notify consumers of a data breach is a “practice … in connection with” communication service and can be declared “unjust or unreasonable.”
• CRA Challenge: The 2017 joint resolution barred only re-issuance of a rule “substantially the same” as the entire 2016 Order, not each individual provision. Because the 2024 Order is much narrower, it survives.
• Section 225: The same requirements can be applied to TRS providers under the ADA’s functional-equivalency mandate.
• Disposition: Petitions for review denied; FCC rule stands.

Analysis

A. Precedents Cited and Their Influence

1. Global Crossing Telecomms., Inc. v. Metrophones Telecomms., Inc., 550 U.S. 45 (2007)
   • Confirmed that § 201(b) reaches carrier “practices” beyond pure rate-setting.
   • Sixth Circuit used Global Crossing to analogize refusal to pay compensation (there) with failure to notify breach (here).
2. Loper Bright Enterprises v. Raimondo, 603 U.S. 369 (2024)
   • Abrogated Chevron deference.
   • Court stressed its independent duty to find the “single, best meaning” of statutory text.
3. Council Tree Communications, Inc. v. FCC, 503 F.3d 284 (3d Cir. 2007) & W. Union Tel. Co. v. FCC, 773 F.2d 375 (D.C. Cir. 1985)
   • Used for the jurisdictional holding that an FCC order is “entered” upon Federal Register publication.
4. RadLAX Gateway Hotel, LLC v. Amalgamated Bank, 566 U.S. 639 (2012)
   • Instructive on the general/specific canon; majority distinguished, dissent relied on it.
5. Multiple FCC policy orders from 1998-2016 tracing the evolution of CPNI and privacy rules, especially the rescinded 2016 Broadband Privacy Order.

B. The Court’s Legal Reasoning

1. Statutory Construction

• Section 222(a): Phrase “proprietary information of … customers” does not include PII. Reading it that broadly would create anomalies with § 222(d) exceptions and clash with Congress’s choice to mention PII expressly elsewhere in the Act.
• Section 201(b): Text covers any “practice … in connection with” furnishing service. Ordinary meaning of “practice” (habitual mode of operation) plus Global Crossing persuaded the court that breach-notification duties are within scope.
• General/Specific Canon: § 222 regulates only CPNI, aggregate data, and subscriber lists; because PII lies outside those categories, § 201(b) is not displaced.
• Functional Equivalency (Section 225): Since carriers must protect PII, equal protection is necessary for disabled users’ relay services to be “functionally equivalent.”

2. Congressional Review Act

• CRA bars rules “substantially the same” as a disapproved rule. Congress disapproved the entire 2016 Order; court therefore compared whole-to-whole.
• 2024 Order only addresses breach notification (and in a refined form) vs. the 2016 omnibus privacy regime. Differences in scope, content requirements, good-faith exception, and inclusion of TRS convinced the majority the rules were not “substantially the same.”
• Jurisdiction preserved because § 805 precludes review only of actions “under” the CRA (e.g., whether Congress missed a deadline), not of an agency rule later alleged to violate the CRA.

C. Impact of the Decision

The decision sets two important precedents:

1. § 201(b) as a Privacy Tool – Post-Loper Bright, courts must independently interpret statutes. Here the Sixth Circuit nevertheless found sufficient textual anchoring in § 201(b) to regulate PII, inviting the FCC (and possibly other circuits) to use that section for modern privacy issues.
2. CRA Interpretation – By limiting “substantially the same” comparisons to the disapproved rule in its entirety, the opinion curtails the CRA’s force and gives agencies leeway to re-package previously rejected components in narrower stand-alone rules.

Expect:

• Fresh FCC initiatives on data security using § 201(b).
• Litigation in other circuits contesting whether § 201(b) similarly empowers regulation of AI-driven customer analytics, geolocation sharing, or dark-pattern marketing.
• Congressional amendments to the CRA or to § 222 possible if lawmakers view the ruling as diluting legislative veto power.

D. Complex Concepts Simplified

• CPNI vs. PII
  • CPNI: Technical “metadata” about phone service (numbers dialed, minutes, etc.).
  • PII: Any data that can identify a person (name+SSN, biometrics, login credentials).
• § 201(b) “Practices”
  – Any routine carrier conduct tied to service provision; court says this includes breach-notice failures.
• Congressional Review Act (CRA)
  – Allows Congress to nullify agency rules within 60 legislative days; bars “re-issuance” of a rule that is “substantially the same” unless Congress authorizes otherwise.
• Functional Equivalency (§ 225)
  – TRS for hearing/speech impaired users must be as effective as ordinary voice services; thus privacy rules cannot be weaker for the disability community.

Conclusion

Ohio Telecom Association v. FCC is the first appellate decision after Loper Bright to sustain an agency’s privacy rule on purely judicial, non-deferential grounds. By reading § 201(b) expansively and the CRA narrowly, the Sixth Circuit has:

1. Confirmed an independent statutory foothold—separate from § 222—for FCC regulation of modern privacy harms.
2. Placed a limitation on the CRA that significantly reduces its bite against agency “second tries.”
3. Signaled that courts will still uphold broad agency authority when statutory language, history, and structure align—even without Chevron.

Whether other circuits will adopt this approach, and whether Congress will respond to shore up the CRA or clarify § 222, remains to be seen. For now, carriers must prepare robust breach-notification protocols for PII, and regulators across the federal government will study § 201(b)’s newly affirmed elasticity.