The “Direct-Connection” Doctrine: Sixth Circuit Confirms FCC Authority to Mandate PII-Breach Reporting and Clarifies the Scope of CRA Disapprovals

Introduction

In CTIA – The Wireless Association v. FCC, Nos. 24-3133/3206/3252 (6th Cir. Aug. 13 2025), the United States Court of Appeals for the Sixth Circuit upheld the Federal Communications Commission’s 2024 Data-Breach Reporting Rule. The consolidated petitions—brought by three major telecommunications trade groups and others—challenged the FCC’s expansion of breach-notification duties to cover personally identifiable information (PII) in addition to customer proprietary network information (CPNI). Petitioners argued that the Commission (1) exceeded its statutory authority under the Communications Act and (2) violated the Congressional Review Act (CRA) because Congress had disapproved a similar 2016 rule.

Writing for the majority, Judge Jane B. Stranch (joined by Judge Mathis) rejected those arguments. The court devised a new interpretive lens—here dubbed the “Direct-Connection” doctrine—under which § 201(b) of the Communications Act empowers the FCC to prohibit “unjust or unreasonable practices” whenever the practice bears a “direct connection” to the furnishing of a communications service. The opinion also adopted a holistic reading of the CRA, holding that Congress’s 2017 disapproval of the 2016 Broadband Privacy Order barred only the entire disapproved order, not each of its component sub-rules.

Judge Griffin dissented. He would have invalidated the rule both because it is “substantially the same” as the one Congress vetoed and because § 201(b) cannot be stretched to reach data-breach reporting that, in his view, is not “inherent or necessary” to providing communications service.

Summary of the Judgment

• Jurisdiction. The petitions were timely because, under 47 C.F.R. §§ 1.103(b), 1.4(b), an FCC order is “entered” on the date it appears in the Federal Register, not the date it is released.
• Statutory Authority.
  • Section 222(a) does not authorize regulation of PII; its context shows Congress focused on CPNI, aggregate data, and subscriber-list information.
  • Section 201(b) does confer authority. A carrier’s failure to notify customers of a PII breach is a “practice … in connection with” its communication service because secure handling of customer data is directly intertwined with the service relationship.
  • Section 225’s functional-equivalency mandate allows extension of the same breach-reporting rules to TRS (relay service) providers.
• CRA Challenge. The 2017 joint resolution disapproved the FCC’s entire 2016 Broadband Privacy Order. Because the 2024 rule is not “substantially the same” as that whole order and differs in multiple respects, it is not barred by 5 U.S.C. § 801(b)(2).
• Outcome. Petitions for review DENIED; 2024 Data-Breach Reporting Rule stands.

Analysis

1. Precedents Cited

• Global Crossing Telecommunications, Inc. v. Metrophones Telecommunications, Inc., 550 U.S. 45 (2007) – Recognised § 201(b) as a flexible tool; Supreme Court upheld an FCC rule treating non-payment of payphone compensation as an “unreasonable practice.” The Sixth Circuit leans heavily on Global Crossing to support the idea that “practice” can include omissions (failure to notify) and that § 201(b) evolves with industry realities.
• Loper Bright Enterprises v. Raimondo, 603 U.S. 369 (2024) – Overruled Chevron deference; court emphasised its independent duty to find the statute’s “single, best meaning.” Used here to justify de-novo reading of §§ 201 and 222.
• California Independent System Operator Corp. v. FERC, 372 F.3d 395 (D.C. Cir. 2004) – Limited FERC’s use of “practice” language where agency tried to restructure a utility’s governance. Majority distinguishes it; dissent relies on it.
• Pulsifer v. United States, 601 U.S. 124 (2024) – Cited for the principle that different statutory terms usually carry different meanings.
• Multiple FCC Orders: 1998, 2007, 2016 Broadband Privacy Order, 2014 Terracom penalty, 2013 Relay Service Order.

2. The Court’s Legal Reasoning

2.1 Section 222(a): “Proprietary Information” ≠ PII

Although § 222(a) contains broad language, the majority places weight on in-statute context:

• Subsections (c), (d), (e), and (g) list detailed rules and exceptions focused exclusively on CPNI, aggregate data, and subscriber lists.
• Reading PII into § 222(a) would create anomalies: exceptions for billing or emergency disclosure would apply only to CPNI but not to PII.
• Elsewhere in the Communications Act, Congress expressly names PII, showing deliberate omission in § 222.
• Result: § 222(a) establishes a general duty but not the specific authority to impose PII-breach rules.

2.2 Section 201(b): Birth of the “Direct-Connection” Test

1. Textual hook. “Practice … in connection with [a] communication service.” The ordinary meaning of “practice” is broad and covers omissions.
2. Connectedness requirement. Drawing from Global Crossing, the court says an actionable practice must bear a direct (though not necessarily “inherent”) link to the furnishing of service. Securely handling data collected because of the service relationship meets that threshold.
3. Rebuttal of canons invoked by petitioners. The majority rejects noscitur a sociis and the general/specific canon because (i) “practice” is linguistically distinct from “charges” and “classifications,” and (ii) § 222 and § 201(b) overlap only partially; § 222 does not regulate PII at all, so no conflict exists.
4. Broader statutory mosaic. The FTC Act applies its “unfair practices” authority to most businesses but explicitly exempts common carriers. Reading § 201(b) as a parallel authority for carriers averts a regulatory vacuum.

2.3 CRA Interpretation

Key move: equate “the rule” in § 801(b)(2) with the whole rule that Congress cited in its joint resolution. Because the 2017 disapproval named the entire 2016 Order, the 2024 rule survives unless it is “substantially the same” as that whole order—something the court says is “far from” the case. Even if compared head-to-head with the 2016 breach-rule, the 2024 version still passes because of:

• Good-faith exemption to the breach definition,
• Different timing and content for customer notice,
• Extension to TRS providers,
• Removal of mandatory waiting period.

Judge Griffin counters that this reading neuters Congress’s veto power, allowing agencies to re-promulgate piecemeal. He would treat each sub-rule as independently covered by the disapproval.

3. Impact

• Immediate Compliance Obligations. All telecommunications carriers and TRS providers in Sixth-Circuit states (and, practically, nationwide) must implement breach-notification processes for PII by the FCC’s enforcement deadline.
• Regulatory Authority. The decision cements § 201(b) as a potent, post-Loper Bright tool for the FCC, potentially usable for other privacy-, cybersecurity-, or consumer-protection rules.
• CRA Doctrine. By limiting “substantially the same” comparisons to the entire previously disapproved rule, the Sixth Circuit sets a narrow bar for CRA re-issuance challenges—departing from the broader, more preventive approach urged by the dissent. This may embolden agencies after future CRA vetoes.
• Federal–State & FTC Alignment. Carriers now face overlapping regimes: FCC breach-notification, state data-breach statutes, and (for non-common-carrier services) FTC “unfair practices” enforcement. Harmonisation efforts will be critical.
• Supreme Court Prospects. The split between majority and dissent on § 201(b)’s breadth and CRA scope, combined with the backdrop of Loper Bright and the major-questions doctrine, makes the case a candidate for certiorari.

Complex Concepts Simplified

Customer Proprietary Network Information (CPNI)

Technical and usage data a carrier learns because you subscribe—call time, location, amount of data used, etc. Long regulated under § 222.

Personally Identifiable Information (PII)

Data that can identify you directly (name + SSN) or indirectly (biometrics, login credentials). Not expressly referenced in § 222.

Section 201(b)

A 1934 clause making “unjust or unreasonable” carrier practices unlawful and authorising the FCC to make rules. Traditionally about rates, now extended to privacy-related practices.

Section 222

1996 addition focusing on privacy of CPNI, aggregate data, and directory information; spells out rules and exceptions.

C.R.A. “Substantially the Same” Bar

If Congress & the President veto a rule, agencies cannot re-issue it in “substantially the same form” unless Congress later allows. The Sixth Circuit now defines “rule” holistically, limiting the bar.

Direct-Connection Doctrine

Short-hand for the court’s test: a carrier practice falls under § 201(b) if it bears a close, direct relationship to providing communications service—even if not strictly “necessary” like rates or classifications.

Conclusion

CTIA v. FCC is the first major appellate decision after Loper Bright to uphold sweeping privacy regulation on a fresh, court-constructed reading of agency authority. By:

1. Restricting § 222 to CPNI,
2. Expanding § 201(b) via the Direct-Connection doctrine, and
3. Interpreting the CRA’s “substantially the same” clause narrowly,

the Sixth Circuit both broadens the FCC’s reach and trims Congress’s veto leverage. Carriers must now treat PII breaches with the same urgency as CPNI breaches, while legal watchers can expect renewed battles—possibly at the Supreme Court—over how far the Communications Act and the CRA let agencies go in the data-privacy realm. For now, however, the FCC’s 2024 Data-Breach Reporting Rule is law within the Sixth Circuit, and its reasoning will likely influence federal privacy governance nationwide.